This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firefox stores cookies locally without encryption, is it ok?

kennyfs
Making moves

‎03-24-2023 03:42 AM

Hello everyone,

I recently came across some disturbing news that Linus Tech Tips (LTT) was hacked via a malicious email attachment that stole session keys stored locally on the victim's browser. This made me concerned about the security of my own browser. Upon further investigation, I discovered that Firefox stores cookies in an unencrypted SQLite file on my computer.

I think Firefox should consider encrypting cookies to prevent similar hacks in the future. Is there a reason why Firefox doesn't encrypt cookies?

4 REPLIES 4

fhfs
Making moves

‎03-28-2023 02:49 AM

I am also interested in how the cookies can be protected, or an explanation why they cant really protected if that is the case.

It seems all the rage, to grab the cookies instead of getting passwords. Cookies seem to be the weakest link.

0 Kudos

jscher2000
Leader

‎03-28-2023 11:59 PM

I posted my thoughts on this over on Reddit the other day:

The cookies.sqlite database file is not encrypted, and its contents are not encrypted. In theory, the contents could be encrypted using a mechanism similar to the Primary Password used for logins saved in logins.json: you would provide the password once per session to allow Firefox to decrypt cookies coming out of the database and encrypt cookies going into the database. It sounds like it could be a drag on performance, and query whether this presumably low frequency attack justifies the precaution.

On the server side, if a cookie is suddenly presented from a different IP address, that ought to raise a red flag. In our era of mobility, I think web app designers don't want to inconvenience you by requiring you to sign in again when your IP address changes, but for highly sensitive apps, that probably would be a worthwhile setting.

https://www.reddit.com/r/firefox/comments/120t8bg/malware_which_steals_browser_info_session_tokens/

In the meantime, malware executing on your system outside of your targeted browsers can be blocked/defended in other ways. For more information on why the malware might not be detected by your antivirus, see: https://www.youtube.com/watch?v=nYdS3FIu3rI.

The Malware that hacked Linus Tech Tips
The Malware that hacked Linus Tech Tips
youtube.com/watch?v=nYdS3FIu3rI
Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: https://www.crowdsec.net/?mtm_campaign=PCSecMag-May22 ...

kennyfs
Making moves
In response to jscher2000

‎03-31-2023 08:14 PM

Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.

0 Kudos

jscher2000
Leader
In response to kennyfs

‎04-03-2023 04:04 PM

@kennyfs wrote:

Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.

You can post product suggestions on the "Ideas" side of this site:

https://connect.mozilla.org/t5/ideas/idb-p/ideas

0 Kudos
Copyright © 2024 Khoros, LLC