Avast AV could read Firefox saved passwords

Passwords saved by Firefox are not encrypted (they are encrypted but the key can be read out) until you set a master password. I don't think that this is a bug, but every virus could read those passwords nonetheless


Firefox can decrypt the passwords without you entering a password. That means it must have the decryption key--which means any program that knows how Firefox stores things can find them. This applies to any program that stores information on your system. Encryption is only a strong defense if you have to provide the decryption key before accessing the stored data. (Note that this is accomplished by using the supplied password as the decryption key--no password, no decryption, no access to the encrypted data. This inherently means there's no recovery of the password other than by external storage somewhere.)

Encrypting the passwords stops someone from using Notepad to read your passwords, it does not stop a serious attempt to find them.


How does Firefox save the passwords?

Previous answers have already presented the general idea, but a more in-depth explanation can be provided.

Firefox stores all user information in the profile folder. On Windows, it's located under %APPDATA%\Mozilla\Firefox\Profiles\; and on Linux, ~/.mozilla/firefox/.
The profile folder is created the first time Firefox is started for the current user, and typically has a cryptic name, like y7ogrp85.default in my case. This name is meant to be unique.

Since version 32 of Firefox, two files residing under the profile folder are responsible for managing saved passwords inside the browser. They are: logins.json and key3.db.

The first file, logins.json, contains actual information such as a list of usernames, passwords, domain names etc. It also lists the websites for which you opted NOT to save a password. However, these are encrypted. You can check for yourself.

The second file, key3.db, holds the key to decrypt the sensitive information found on the previous file, such as usernames and passwords.

Now, this implementation is not a secret (after all, Firefox is open source), and anyone can develop their own means to get someone's passwords by reading these files. In fact, it's been done already. I know of a tool by Nirsoft called PasswordFox for that.

There is one possible caveat, and it's the possibility of the user having implemented a master password within Firefox; this will encrypt the key3.db file itself. But there are means around that too, by brute-forcing the file with utilities made for that purpose, like John the Ripper and others.

Is it a bug which is being exploited by Avast?

Nope, not a bug. It's just the way the browser has been designed (not from scratch though - it's evolved a lot since the first versions). I believe it's reasonably convenient and secure. As long as:

  • Your system isn't compromised;
  • Nobody you don't trust has physical access to your computer, or even yet, unrestricted access to your files / your user account;
  • Your files are protected by Full Disk Encryption, in case your PC is stolen,

you should be fine. In any case I do recommend setting a strong master password or even better, switching to a dedicated password manager such as KeepassXC.


(I'm not personally connected with Nirsoft, Firefox or KeepassXC. I'm just a user.)