How did Firefox get my passwords?



  • I just installed Firefox browser, while I have previously used Google Chrome as my main browser. I am using Windows 10.

    During the installation and setup process for Firefox, I was given the option to migrate over my data from Chrome, including usernames and passwords. This process completed quickly, and I was then able to log in to various websites using my saved passwords that I previously had in Chrome. This whole process was quite convenient, but it got me thinking:

    How did Firefox get my passwords?

    I never had to type in any of my passwords into Firefox, and I never had to do anything in Chrome to "release" this information to Firefox. The only requirement given by Firefox was that Chrome should be closed during the process. I also didn't need to grant the installer program any elevated privileges, besides just allowing it to run.

    So what mechanism is Firefox using to retrieve these passwords from Chrome? This other answer claims that Windows has no mechanism to protect the passwords, but I still wonder what the actual mechanism is, and why the browser design is unable (or unwilling for some other reason) to protect access to the passwords through any other means outside of OS privileges. (The only explanation I've come up with is that it is inconvenient for the user to enter their "master password" every time they start the browser).

    My previous understanding was this:

    If I try to view my passwords in chrome on passwords.google.com, I have to re-enter the password to log in to my main Google account where they (presumably) are stored. Of course, to actually use these passwords to log in to a site on Chrome, I don't have to enter my main password most of the time. I assume this is because the browser has session token that it uses to authenticate the retrieval of these passwords in most cases.

    Could it be that Firefox "stole" this token to access my passwords? Or that the passwords are actually stored locally in some form that can be decrypted without needing the user's input?

    And finally, does this mean that it is trivial for any program to steal my passwords in this manner?



  • (I had to make some quick research for this intriguing question).

    The saved passwords can be decrypted by Firefox (or any other software) as long as it is running within your windows account on the same machine where the passwords were encrypted.

    Chrome encrypt stored password using CryptUnProtectData, the algorithm relies on the user logon credentials and some information specifics to the machine to decrypt the passwords.

    You can check here a Python implementation that uses the same encryption function to read the saved passwords on Chrome.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2