Primary Password for password storage did not stop hack
Hi I recently was hacked unfortunately due to a stupid screw up involving a person who had hacked a friend's account and had me download some malware disguised as a "game he worked on" and managed to get all my passwords stored in Firefox (spent 9 hours straight changing all 200 of them and wiping the laptop). I believe I am misinterpreting some things on how secure the storage of passwords are for Firefox as I thought using the "Primary Password" function would encrypt everything properly. The hacker proved he had them unencrypted sending some examples to me to flaunt.
Was he able to attain access to the passwords due to me already having firefox open when I was compromised (even if the primary password is asked before entering each password?) Or is there some issue with firefox not storing them properly? Or is there some other less know issue with windows or edge or something "stealing" the passwords and storing them in an unencrypted file without me knowing?
This whole thing makes me feel less trustful of firefox to say the least and while the hack itself was my fault I just want to know if there was something else I could have done other than using keepass or some other password manager to exclusively store passwords (which is what I am going to do now and probably should have been doing)
TLDR - Primary password did not stop hacker from seeing passwords - Any clarification on whether this was my fault in trusting it for such things or if there is an actual issue with firefox's approach
Thanks for any help or clarification.
All Replies (6)
If you got hacked then this hacker might have installed software that intercept key presses, so if you entered the PP before you cleaned up this malware then the attacker could get access to all logins. It is only possible that he only got access to a few passwords that you entered. If you are sure that your device is clean, then set a new PP when you boot the computer in Safe Mode just to be sure.
Ah I meant to add this in my original post. The hacker was in my system for about 5 minutes and I did not go and enter my password during that time. (I was dead tired when it occurred and in hindsight I should have turned off my computer immediately and stopped more damage from occurring ) The reason for not shutting down the laptop immediately is due to my tired brain not thinking and communicating on discord with my friend on his alt account talking to me about him being hacked. (dont know if editing this spams people with notifications so sorry if it is I just keep thinking of new things to add)
Modified
colza said
The hacker was in my system for about 5 minutes
How can you be so certain of the attack vector and duration? Your system could have been compromised much earlier some other way, your Mozilla account could have been hacked or a different device could have been infiltrated.
If you have a Mozilla account, make sure it is secure with two-factor enabled and you have a primary password enabled on all devices.
I can be so certain as to the duration as I clicked the supposed "game" to test and immediately noticed weird things happening like discord closing and no game appearing. Me being dead tired and confused as I was trying to confirm the legitimacy of my friends account I talked to my friend on his discord alt account for around 5 minutes (not signing into anything just talking on discord) before realizing I am an idiot an turned off the laptop and continued on another device. This laptop after being shutdown was turned on for one moment and disabled the internet to retrieve some not backed up files to a drive and immediately shut it back down again and wiped the laptop later on and installed windows again. I did not at any point sign in to anything while it was compromised. Please let me know if there are other details needed to try and solve this.
Note: The laptop was the only device compromised and had a primary password set.
Modified
That's very unfortunate. I don't know how these hacks work, but here are my general thoughts:
If a hacker takes the logins.json file and key4.db file, but can't supply the primary password, they shouldn't be able to extract the passwords without enormous effort (for a brute force/dictionary attack, proportional to the complexity of the primary password).
It's possible Firefox stored the primary password in memory after you entered it, so if the malware could steal a memory dump, perhaps they could extract it. I'm not sure about that scenario.
If they didn't take the files or discover the primary password, but were able to execute a script in the Browser Console (Ctrl+Shift+J, but by default, the command line isn't enabled) after you entered the Primary Password, they probably could extract the full list of logins from there and copy/paste it somewhere. However, doing that via remote control without you noticing something happening with Firefox while you were on the computer would be quite a trick.
That is quite plausible. The hack was very quick and didn't hide too hard, though you wouldn't notice that much if you weren't looking at task manager. The only thing that set off alarm bells was when discord suddenly closed and opened after clicking on the "game" (malware) that was sent. Discord also looked slightly off after opening again, though I wouldn't know how to describe why. I wish I just shut the computer down immediately, but wasn't thinking straight and let it go for a few minutes while confirming my friend being hacked. I heard many people in a very short period of time were hacked. When checking the computer the second time after booting it back up again to copy some files real quick, I saw that the malware was disguised as "Windows Boot Manager" by "Unity". This to me shows the person wasn't planning to go for the long game type of hack where you never really know you are screwed and just used some pretty obvious spoofing names and didn't even change the process icon to blend in. Really a smash and grab tactic. The guy was even "lovely" enough to taunt me on discord with my friends hacked account.
Modified