SecurityXploded Blog

Explosing the New Sign-on Format of Firefox 3.5

With the new version 3.5, Firefox has changed the way the sign-on secrets (saved website passwords) are stored in the profile. Earlier Firefox used the signons.txt files to store the passwords for websites. This was clumsy and difficult to manage with every new release.

New Firefox 3.5 uses sqlite database file to store the website passwords.  I guess Firefox picked this idea from Google Chrome which uses the same format to store the sign-on passwords.  This sign-on file is named as signons.sqlite and it is located in the associated Firefox profile folder same as the signons.txt file.  The signons.txt file is no longer used and maintained. However if you have upgraded to 3.5 version from older version then you will still find signons*.txt file in profile folder but the contents are automatically migrated to the new signons.sqlite file on upgrade.

The new signons.sqlite file has two tables moz_disabledHosts and moz_logins. The moz_disabledHosts table contains list of blacklisted websites which are exempted from storing passwords. The moz_logins table contains all the saved website passwords. Here is more detailed description of each tables….

moz_disabledHosts

  • id   – index of each entry
  • hostname  – blacklisted website url

moz_logins

  • id    – index of each entry
  • hostname – base website URL
  • httpRealm –
  • formSubmitURL – Actual website URL for which secrets are saved.
  • usernameField – name of username element of form field
  • passwordField – name of password element of form field
  • encryptedUsername – encrypted username
  • encryptedPassword – encrypted password
  • guid – unique GUID for each entry
  • encType –  value 1 indicates encrypted

Below is the snapshot of moz_logins table as stored by new Firefox version 3.5

Due to this introduction of new sqlite format, the Firefox password recovery tools such as FirePassword and FirePasswordViewer does not work any more. I am currently working on to add support for the new version and soon we will have good news.

Update :  21st Aug 2009

Both FirePasswordViewer and FirePassword tools have been upgraded to support recovery of passwords from latest Firefox version 3.5

.

Leave a Reply