Firefox Master Password Security Issues

A lot of people use the save password feature in browsers so that they don’t have to be bothered to enter their passwords on websites they visit often. Firefox offered users the option of implementing a master password, so that the user would need to enter that password in order to use their bank of saved passwords.

What was just brought to light is that Firefox uses a very low standard of encryption that can be cracked in just a few seconds if the hash is found. SHA-1 hashes were used, which are very insecure as they are easily broken. Although a salt was used, according to the article, 1 iteration count is considered very low, and makes it easy for hackers to obtain the master password through brute force. For comparison, the article provides information that 10,000 iterations is considered the minimum acceptable value, and other password managers, like LastPass, use 100,000 iterations.

What is strange is that someone reported this bug nine years ago, and the Mozilla team just never fixed the issue. They did not provide a reason that they did not fix it, but used the chance to generate excitement for its upcoming password manager called Lockbox. According to the post on the bug report, a solution of switching to the Argon2 library for hashing passwords would be more secure than SHA-1, but based on the above comments it does not seem like Mozilla wants to invest any resources into fixing this issue. In order to protect themselves, users can stop using the Firefox password saving feature and turn off their master password and store their passwords in a third party password manager, such as KeePass, 1Password, Enpass or LastPass.

– Justin Stein

Source: https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

Security Issue Found in Skype’s Updater

News was just released that Skype’s updater has a security issue which could allow a remote hacker to escalate privileges to system level. This privilege level allows any change to be made to the system, and is even higher than the Administrator account. This problem is very far-reaching, as Skype has an active user base of 300 million users as of January 2018. Of those, most are probably using Windows.

This updater issue mostly targets Windows computers through a process called DLL hijacking. DLL hijacking is a process whereby an attacker replaces a system call to a legitimate library with a call to malicious code that an attacker writes. While this issue is only mostly pertinent to Windows, it also can affect Mac and Linux computers, according to the ZDNet Article.

What makes this attack even worse is that Microsoft has issued a statement saying that the fix is too far-reaching for them to release a security fix, and so instead they are going to fix it in a version upgrade, which could be weeks away. This is a problem because with user-level privileges, hackers can steal personal files and data. With system level access, an attacker can run applications on a remote computer, and even remotely disable with ransomware.

Microsoft has released a statement saying that instead of patching the old client software, they are instead focusing on rewriting the client software.

My recommendation to anyone would be that if you do not use Skype, or almost never use it, uninstall it from your computer.

Sources: