Wednesday, November 07, 2007

Firefox/Flock - Pretty Large Security Flaw - Passwords in the clear

I picked this up listening to Leo Laporte's KFI podcast a week or two back and just forgot to blog about it:

Did you know that...

In Firefox or Flock, if you go to Tools->Options->Security Tab, you will see a button called "Show Passwords". If you click this button you will see a pop up dialog box with a list of all of the sites for which you let FF (or Flock) manage your logon information. It will list each site along with your login name. BUT on this dialog there is another button labeled "Show Passwords". If you click on this button, it will SHOW YOUR PASSWORDS IN CLEAR TEXT.

Hmm. That ain't very nice is it. Especially if you work in an environment where other people might have access to your browser.

Luckily, in the original options dialog box, there is a checkbox marked 'Use Master Password'. Check this box and you will be prompted to enter a master password. This will require that the user enter this password when the browser launches and will require it again if they attempt to show the passwords in the Options dialog (as described above).

Not sure if you let Firefox or Flock manage your logon info, but if you do, you might want to secure them.

Blogged with Flock