Firefox Master Password Phishing Risk

TL;DR

Yes, a cleverly crafted fake website can trick you into entering your Firefox master password if you’re not careful. The dialog looks genuine but isn’t controlled by Firefox itself. Always double-check the URL before entering it.

Understanding the Risk

Firefox doesn’t actually store your master password in a way that websites can directly access. However, when you visit a website and Firefox asks for your master password, it’s displaying a dialog box created by the website using JavaScript. This means a malicious website can create a fake-looking password prompt.

How Phishing Works

1. Fake Website: You visit a website that looks legitimate (e.g., a bank, email provider).
2. JavaScript Prompt: The website uses JavaScript to display a password dialog box. This prompt will look very similar to the real Firefox master password prompt.
3. You Enter Password: If you enter your master password into this fake prompt and click ‘OK’, the website immediately captures it.
4. Account Compromise: The attacker now has your master password, giving them access to all saved logins in Firefox.

How to Protect Yourself

1. Always Check the URL: This is the most important step! Before entering your master password, carefully examine the address bar. Make sure you are on the correct website. Look for typos or subtle changes in the domain name (e.g., bank-login.com instead of bank.com).
2. HTTPS is Not Enough: A secure connection (HTTPS) only means your communication with the website is encrypted, not that the website itself is trustworthy. Phishing sites can also use HTTPS.
3. Be Wary of Links: Avoid clicking links in emails or messages asking you to log in. Type the website address directly into your browser’s address bar instead.
4. Two-Factor Authentication (2FA): Enable 2FA on all important accounts whenever possible. This adds an extra layer of security, even if your master password is compromised.
5. Firefox Account Sync: If you use Firefox Account Sync, ensure your account has strong security measures enabled, including a strong password and 2FA.

Identifying a Fake Prompt

• Prompt Origin: Real Firefox master password prompts are triggered by visiting websites that require saved logins. If you’re prompted unexpectedly on a website where you don’t usually need to log in, be suspicious.
• Browser Security Warnings: Pay attention to any security warnings your browser displays about the website.

What if You Entered Your Password?

1. Change Firefox Master Password Immediately: Go to about:preferences#privacy in your Firefox address bar and change your master password.
2. Review Saved Logins: Remove all saved logins from Firefox (about:logins) and re-save them after changing the master password.
3. Monitor Accounts: Keep a close eye on your important accounts for any suspicious activity.
4. Run a Malware Scan: Perform a full system scan with a reputable antivirus program to check for malware that may have been installed by the phishing website.