Firefox's "master password" protection has been using a weak mechanism that depends on the deprecated SHA-1 hashing algorithm to protect access to users' stored website passwords. And the Firefox bug has languished unfixed for nearly nine years on Bugzilla, Mozilla's bug tracking system.
A SHA-1 hash, even when applied with a random salt value as Firefox does with the master password, can be brute forced in as little as a minute, according to Wladimir Palant, who discovered that the Firefox bug had fallen through the cracks for nearly nine years. Palant is the developer of Adblock Plus, the content filtering and ad blocking browser extension.
While investigating how Mozilla's browser code handled the conversion of a master password into an encryption key, Palant sought to determine how well using a master password key with Firefox actually protected a user's stored passwords. While he noted that not using a master password is "equivalent to storing them in plain text," he added that "it is commonly believed that with a master password your data is safe. Quite remarkably, I haven't seen any articles stating the opposite."
"However, when I looked into the source code," Palant wrote in a blog post, "I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here."
As Palant notes, the Firefox bug leaves master passwords vulnerable because SHA-1 hashes have been proved too weak for security use since at least 2005; also, the master password is hashed only one time with a random salt value. For the average password with approximately 40 bits of randomness, Palant suggested that an attacker with one Nvidia GTX 1080 graphics card could recover the average password in about one minute.
Mozilla downplays the Firefox bug
The record of Mozilla developers' response to the Firefox bug, first recorded on Bugzilla in Oct. 2009, seems fairly casual. The initial report noted that simply increasing the number of iterations of the SHA-1 hash to 1,000 would help improve security; more substantive activity in the bug record did not start until Palant noted his discovery on March 10, writing "nine years later I looked [at] the same topic without being aware of this discussion and was shocked to see a single SHA-1 iteration being used to hash passwords."
According to Mozilla, the feature was never intended to be secure from all types of attack.
"This feature satisfied the simple need to hide passwords from other family members on a shared computer," a Mozilla spokesperson told SearchSecurity. "It was not intended to prevent a dedicated attacker from recovering passwords which would require a different design and not simply a stronger password primitive."
Chris Eng, vice president of research at Veracode, agreed that this Firefox bug could be a tempest in a teapot.
Chris Engvice president of research, Veracode
"While a single iteration of SHA-1 is far from state of the art in terms of password storage, it's important to consider the threat model and trade-offs here," Eng told SearchSecurity. "The password file is only stored on the user's computer, so an attacker wouldn't be able to brute force the passwords without first compromising that system to obtain the file. That's possible to do, but it's a big difference from saying that everyone who uses Mozilla's password manager is suddenly at risk. Also, brute force is not a golden key -- if the passwords are sufficiently long and complex, brute force can still take a long time."
The bug reporting process may appear to impose order on what can be an inherently chaotic process, and sometimes bug reports can get short-changed.
"I submitted a bug to Firefox that wasn't fixed for over year, and then it was recreated at a later date," Chuck McAuley, principal security engineer Keysight Technologies told SearchSecurity. "Sometimes there is disagreement over what qualifies as a security bug between the vendor and reporter, even in open source projects. If the reporter doesn't advocate or disclose the bug to a larger audience it just sits in some long forgotten queue of 'future.'"
However, the persistence of older, deprecated algorithms like the SHA-1 hash still represents a problem for any software project of "a certain age."
"This is more of a global issue for all software that is ten or more years old, not just Firefox," said Steve McGregory, head of the application and threat intelligence team at Keysight Technologies. "There's a saying, 'If it ain't broke, don't fix it,' and while this use of an old technology is antiquated to us now, no one was looking at it because it was kind of working. Anything developed ten or more years ago used old libraries, old mechanisms, and they likely still use those old libraries or mechanisms. Code maintenance must include upgrading encryption and libraries in order to keep the products up to date, and hopefully minimizing these types of issues."