Mozilla closes leak in Firefox password manager
Mozilla warns that it was possible to copy saved passwords in Firefox to the clipboard without having to enter a preset master password. The vulnerability has been fixed with a new version of Firefox.
Mozilla considers the impact of the vulnerability, labeled CVE-2019-11733, to be “medium” and has fixed it in Firefox 68.0.2 and Firefox ESR 68.0.2. By default, users can show passwords for saved logins in Firefox directly from the password manager, but users can also put this option behind a master password.
It turned out that passwords could still be copied to the clipboard without entering the master password. As of version Firefox 68.0.2, copying passwords also requires entering the master password.
With the upcoming version 69 of Firefox, Mozilla is making some improvements to its password manager. Among other things, it gets a generator to create secure passwords. With Google Chrome, for example, entering Windows security is required by default to view the saved passwords.