Weak password requirements in Mozilla Firefox

#VU26652 Weak password requirements in Mozilla Firefox

Cybersecurity Help s.r.o.

Published: 2020-04-07

Vulnerability identifier: #VU26652

Vulnerability risk: Low

CVSSv3.1: 1.6 [CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-6824

CWE-ID: CWE-521

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a local user to gain access to another user password.

The vulnerability exists due to incorrect behavior of password generator when private browsing mode is user. If the victim had used password generator in a Private Browsing Window to generate a password and then closed the private window while leaving Firefox open, the attacker can open another private browsing session, visit the same website and Firefox will generate identical password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 74.0 - 74.0.1

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-12/

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Mozilla Firefox

Arch Linux update for firefox

Ubuntu update for Firefox

Weak password requirements in firefox (Alpine package)

Multiple vulnerabilities in Mozilla Firefox