lclevy
Firefox v144 - update encryption scheme
As of v144, Firefox updated the encryption scheme on how usernames and passwords are stored on disk. https://www.firefox.com/en-US/firefox/144.0/releasenotes/
They don't use 3DES-CBC anymore, but AES256-CBC, in casu the algo_oid changed to 2.16.840.1.101.3.4.1.42
Adding a simple check would make your script up-to-date. Finally, adding the AES256_CBC decryption is pretty trivial. Keep in mind that the master_key needs to be 32 bytes in stead of 24 bytes when using 3DES.
Tested with my own script and it works fine. Here is how I did it:
[SNIP]
# 3. Decrypt
if algo_oid == '1.2.840.113549.3.7' : # or algo_oid == '1.2.840.113549.1.12.5.1.3' or algo_oid == '1.2.840.113549.1.5.13': # 3DES-CBC
# Use first 24 bytes of master key
decryption_key = key[:24]
cipher = DES3.new(decryption_key, DES3.MODE_CBC, iv)
decrypted_bytes = unpad(cipher.decrypt(ciphertext), DES3.block_size)
elif algo_oid == '2.16.840.1.101.3.4.1.42': # AES256-CBC
# Use first 32 bytes of master key
decryption_key = key[:32]
cipher = AES.new(decryption_key, AES.MODE_CBC, iv)
decrypted_bytes = unpad(cipher.decrypt(ciphertext), AES.block_size)
else:
raise Exception(f"Unknown login encryption algorithm: {algo_oid}")
# 4. Decode from bytes to string
try:
return decrypted_bytes.decode('utf-8')
except UnicodeDecodeError:
return repr(decrypted_bytes)
[SNIP]
Hi, Thank you! Why not creating a PR to have credit about this ? I knew I add to update the tool, but time is missing Laurent
2.16.840.1.101.3.4.1.42
if key4 + logins was created on version before 144, and then browser was updated to 144 it still cannot be decrypted. But if u do clean installation with new profile it will work.
