CVE-2021-38505 - Mozilla Details Firefox Password-Leak Threat, Fix Implemented November 2021 - Binary Defense

Threat Watch

Threat Watch CVE-2021-38505 – Mozilla Details Firefox Password-Leak Threat, Fix Implemented November 2021

CVE-2021-38505 – Mozilla Details Firefox Password-Leak Threat, Fix Implemented November 2021

On December 15, Mozilla developers published a brief detailing a fix for an issue where usernames and passwords were being recorded in the Windows Cloud Clipboard feature of Firefox and Thunderbird versions below Firefox 94, Thunderbird 91.3, and Firefox ESR 91.3

According to the blog post, “The local effect of Ctrl+C is no longer local. For example, recovery codes copied last week on one device can appear in the clipboard of another PC for the same user. In Windows 10 it is now possible to look up secrets from connected devices by pressing Windows+V on the unlocked system. There will be no audit trails and no authentication challenge.” Starting with Firefox 94 and Firefox ESR 91.3, Mozilla has removed the function of storing and sharing data with the Cloud Clipboard or local Clipboard History when copying from Firefox’s password storage page and everything from a Private Browsing window, keeping it controlled by Firefox.

ANALYST NOTES

Binary Defense recommends the use of a dedicated password manager rather than using browser storage or the same password everywhere. Browser password databases are among the most frequently-targeted locations by many malware varieties. Password managers also allow for easy rotation of credentials, further decreasing risk if a threat actor has obtained logon information.
Now is a wonderful time of year to rethink credential storage. It most likely time to rotate out old passwords and implement a password manager.

https://blog.mozilla.org/security/2021/12/15/preventing-secrets-from-leaking-through-clipboard/

https://therecord.media/firefox-fixes-password-leak-via-windows-cloud-clipboard-feature/