cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firefox stores cookies locally without encryption, is it ok?

kennyfs
Making moves

Hello everyone,

I recently came across some disturbing news that Linus Tech Tips (LTT) was hacked via a malicious email attachment that stole session keys stored locally on the victim's browser. This made me concerned about the security of my own browser. Upon further investigation, I discovered that Firefox stores cookies in an unencrypted SQLite file on my computer.

I think Firefox should consider encrypting cookies to prevent similar hacks in the future. Is there a reason why Firefox doesn't encrypt cookies?

4 REPLIES 4

fhfs
Making moves

I am also interested in how the cookies can be protected, or an explanation why they cant really protected if that is the case.

It seems all the rage, to grab the cookies instead of getting passwords. Cookies seem to be the weakest link.

jscher2000
Leader

I posted my thoughts on this over on Reddit the other day:


The cookies.sqlite database file is not encrypted, and its contents are not encrypted. In theory, the contents could be encrypted using a mechanism similar to the Primary Password used for logins saved in logins.json: you would provide the password once per session to allow Firefox to decrypt cookies coming out of the database and encrypt cookies going into the database. It sounds like it could be a drag on performance, and query whether this presumably low frequency attack justifies the precaution.

On the server side, if a cookie is suddenly presented from a different IP address, that ought to raise a red flag. In our era of mobility, I think web app designers don't want to inconvenience you by requiring you to sign in again when your IP address changes, but for highly sensitive apps, that probably would be a worthwhile setting.


https://www.reddit.com/r/firefox/comments/120t8bg/malware_which_steals_browser_info_session_tokens/

In the meantime, malware executing on your system outside of your targeted browsers can be blocked/defended in other ways. For more information on why the malware might not be detected by your antivirus, see: https://www.youtube.com/watch?v=nYdS3FIu3rI.

Linus Tech Tips recently was hacked by a redline infostealer pdf/scr file in a malicious sponsor email. I myself have been receiving a ton of such fake sponsor emails and in this video we look at the attack process. Get Crowdsec for free: https://www.crowdsec.net/?mtm_campaign=PCSecMag-May22 ...

Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.


@kennyfs wrote:

Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.


You can post product suggestions on the "Ideas" side of this site:

https://connect.mozilla.org/t5/ideas/idb-p/ideas