01-20-2023 11:03 PM
I failed to send this to Mitchell Baker as I could not locate an email address for her that worked.
I am a retired but very much faithful Mozilla user since its Netscape inception that today discovered a security flaw in Firefox that has slipped by everyone, probably in the name of user friendliness. I could not sleep with this on my mind! It took me some time to find your contact info but I felt that it needs to go to the top so that it does not get swept under the rug.
I discovered this because Firefox inadvertently signed me into my bank account. Firefox knew my password! I never knowingly give my "serious" passwords to any system other than in sign-ins. Further, I never write down on a system or on paper any password. Passwords on systems must always be one way; in Linux or Unix the user cannot see their own password nor can the root user see it, they can change it but not see it.
In Firefox/Settings/Privacy&Security/Logins&Passwords/SavedLogins is a listing of all the accounts that I frequent along with their viewable clear text passwords! To see this someone would have to get access to my computer, laptop, Android tablet, iPad, Raspberry Pi, etc which are all synced (user friendly). But there are my passwords available in clear text! During my 50+ years dealing with system issues I fought naive security issues like this.
I trust that you understand this problem and will have it quietly and securely dealt with. I trust and love your products.
-- Carl E. Køhn (647)299-1508 (239)381-0142
04-18-2023 01:08 AM
I absolutely agree, i can literally see all password if i have access to their browser which is an absolutely awful security flaw.
04-18-2023 09:09 AM
Hi All, it would be better if Firefox prompted you to apply a primary password the very first time you save a login, but it doesn't do that currently. To do it manually, see the steps here:
Note that there is no recovery method for that password, so make sure not to forget it.
One other suggestion:
You can set Firefox NOT to auto-fill login fields, and instead you fill from a drop-down list. This is more secure because it reduces the potential for hidden fields on a page to extract your credentials. Here's how:
On the Settings page (AKA the Preferences page), type pass into the tiny search box so Firefox filters the page to the Logins and Passwords section. Un-check the box for "Autofill logins and passwords".