WARNING! Firefox 68.1.0esr whacks saved credentials

Issues related to applications and software problems
taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/25 12:25:02

I upgraded Firefox recently and this morning I attempted to access a site for which I had saved the logon credentials. They were gone along with all other saved credentials. I restored my Firefox profile from a nightly backup 4 days ago. The credentials were back - until I closed Firefox.

This same sort of thing happened a year or two ago. I do not recall what version of FF. Is anyone else seeing this? It appears to happen ONLY if the credentials are secured with a master password which I think was the case last time as well.

I did a yum downgrade firefox to return to 60.9.0esr and restored my profile again. All is well for the moment (excepting for any security updates which might have been in 68.1.0esr.) I added exclude=firefox* to /etc/yum.conf until a resolution is forthcoming.

Ken

bonedome
Posts: 94
Joined: 2017/04/22 08:11:04

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by bonedome » 2019/10/25 17:43:33

I feel you pain, I did the same about a year ago and had no back up, I still can't access one email account.
Here's what I do every firefox update since then.
Remove master password, close firefox, copy ~/.mozilla to a different folder, if you're paranoid compress and encrypt with 7z, update firefox, open firefox and re-enable master password.
Hasn't failed me yet and you have a complete backup.
I also managed to get some logins back with cookies and a password reset, this site for example.

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/25 22:54:02

Thanks bonedome,

I guess no one believes in regression testing anymore. I think from looking at the files in my profile that key3.db and cert8.db (which I believe store the credentials) have been updated to key4.db and cert9.db. However, the data was not migrated to the new files. That is my conspiracy theory at the moment :P

For my next trick I am going to copy my FF profile to a Linux Mint virtual machine and open it in FF 70 and see what happens. Last time the next update to FF fixed the problem (provided one still had the data available.) This sounds like something Microsoft would do (and has done and worse.)

As to backup... I recently reinstalled CentOS and encrypted all of my partitions (except boot of course) with cryptsetup/LUKS. / /var and /home are decrypted at boot by a passphrase entered manually. /data on the main SSD, /quitelarge on a second SSD and /xtra on a mechanical drive are decrypted with a key file by crypttab. As my data is now all encrypted I am really paranoid/anal about backups.

In addition to 30 rolling backups of critical, frequently changing data (such as FF and email profiles) to the mechanical drive I have a second mechanical drive which is connected with a USB to SATA adapter. I power this on each evening and run a similar backup scheme except that I am experimenting with using tar rather than just making a copy of key directories and files. This drive is mounted internally but is powered on only for backups or to recover a file. Ransomware protection :mrgreen: And then I have a couple of old external 1 TB drives which I alternate on odd and even days. I backup data to this and several virtual machines which I generally run. This last has proved useful when a system hangup caused me to power cycle the physical machine. This encrypted one of the virtual machines which was running at the time. I was able to recover the previous night's image of the VM and was back in business in a few minutes.

As to your idea of removing the FF master password before backup... I need to look into that as far as this recent fiasco. I have some other FF profiles which have credentials for specific sites but no master password. They were not impacted by the upgrade.

If I get motivated I might see if I can import my credentials from FF into Chromium, upgrade FF, create a clean FF profile and import the stuff back from Chromium. Then figure out which files have the credentials and add them to my old FF profile and then access it with FF 68. That sounds too much like work. I think I will wait for the next update. I did submit a bug report on the CentOS bug page. I guess the folks who maintain that data will kick it upstairs to the "upstream provider." I hope.

I am waiting for Brave to be available on CentOS. I have used it on Mint and it seems like a reasonably secure and privacy minded browser. It is based on Chromium I believe.

Ken

bonedome
Posts: 94
Joined: 2017/04/22 08:11:04

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by bonedome » 2019/10/26 10:48:01

I think from looking at the files in my profile that key3.db and cert8.db (which I believe store the credentials) have been updated to key4.db and cert9.db. However, the data was not migrated to the new files. That is my conspiracy theory at the moment
You've hit the nail on the head there, you can actually watch the above files being converted when you first open an updated firefox with a file manager, but iirc there is a 3rd file logins.json which only exists if you have a master password but if it exists the conversion is corrupted somehow
I've just checked mine and have cert8.db, cert9.db, key4.db and logins.json
Logins.json appears to contain the saved passwords' hashes so in theory if you know the encryption method and master password you could decrypt the passwords.
There is a python script that can do this automatically called firepwd.py https://github.com/lclevy/firepwd

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/26 12:16:33

It gets even worse. I copied my FF 60 profile to a Mint machine with FF 70. I cannot get it to load. I created a new default profile, deleted the stuff from it and replaced it with my files. NOTHING comes across. Not even bookmarks.

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/26 13:27:21

Hello again bonedome,

I have taken your advice and done a little experiment.

1 - Access FF 60 and remove master password
2 - Copy FF profile to a VM with FF 68
3 - Invoke FF 68 with my profile
4 - Play with stored credentials (e.g. sign onto this site, browse saved credentials etc.)
5 - Close FF
6 - Invoke FF again
7 - Repeat 4 (credentials are still there)
8 - Close FF
9 - Invoke FF again
10 - Set master password
11 - Close FF
12 - Invoke FF again
13 - Verify that credentials are still present
14 - Close FF
15 - Invoke FF again
16 - Verify that credentials are still present and sign onto this site which I am now

I will play with this installation of FF and my "production" profile for a while. IF it seems stable I may convert my profile on the physical machine and upgrade FF to 68. Or just wait for the next version and see what happens.

OBTW - Brave is available for CentOS 8 (but not 7 due to some library conflicts.) The iteration of Gnome on CentOS 8 is absolutely vulgar and unusable as far as I am concerned. I will wait until Mate becomes available before I do much with 8. I have installed XFCE on 8 which is an improvement over Gnome but it seems a little primitive. I really need to figure out how to use Qubes. I have the horsepower on this machine to run it. Just a steep learning curve and a major adjustment to my workflow. And I would have to dust off my old desktop and build something to use while figuring out Qubes.

Ken

User avatar
TrevorH
Forum Moderator
Posts: 26934
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by TrevorH » 2019/10/26 13:56:48

There is a firefox 68.2 that RH released about 2 days after 68.1 and it's on its way.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/26 16:05:26

Thanks TrevorH,

I look forward to trying it and will update this thread with my observations.

Ken

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/27 15:20:08

Just a quick update. I again copied my profile from FF 60 on CentOS 7 to FF 70 on Mint. It carried over just fine. My saved credentials, with a master password set, are intact. Not sure what happened to my prior profile copy experiment.

Hopefully we can look forward to a post FF 68 release in CentOS (from the upstream provider) addressing the issue I originally reported.

Ken

taylorkh
Posts: 519
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: WARNING! Firefox 68.1.0esr whacks saved credentials

Post by taylorkh » 2019/10/28 12:46:41

And it gets even better...
I copied my FF profile to a virtual machine of CentOS 8. The version of FF was 60.9.0esr. I exercised my stored credentials and master password. No issues. I then upgraded FF to 68.1.0. The master password was still set. The saved credentials and master password work fine. The issue seems to be FF on CentOS7. Not sure what that means.

Ken

Post Reply

Return to “CentOS 7 - Software Support”