Firefox form data history: a goldmine of unencrypted, sensitive, personal data

Posted: June 22nd, 2011 | Author: | Filed under: Uncategorized | Tags: , , | 5 Comments »

This blog post isn’t exactly “news” to many readers, but I feel it is worth reminding people of the risks of letting their browser remember form data history

Being reasonably paranoid about security / privacy, one of the first things I do when starting firefox on a freshly installed machine is to go to the preferences and change the history settings so that it does not ever remember any form data. Unfortunately on my most recently installed laptop I had forgotten to do this, for inexplicable reasons, so firefox was happily remembering form data. Before clearing the data out, I decided to take a look at just what firefox had remembered over the past couple of months.

  • Card numbers: Every credit and debit card number
  • CVV/CVC: The 3 digit verification codes from the back of several cards
  • Social security / national insurance numbers
  • Bank accounts: Several bank account numbers and sort codes
  • Addresses: Home address, amongst others
  • Date of birth: Handy in combination with the above data
  • User names: login name for many many websites, even those where I said not to remember the actual passwords
  • Phone numbers: my home and mobile phone numbers, amongst others
  • Answers to several “security questions” used to reset passwords on sites

You might wonder where/how firefox keeps all this sensitive data ? In a sqlite database with no encryption in your firefox profile ($HOME/.mozilla/firefox/XXXXXXXX.default/formhistory.sqlite). You can look at what is stored using the sqlite3 command line tool:

# sqlite3 formhistory.sqlite
sqlite> select fieldname, value from moz_formhistory order by value;

Or, if you trust the plugin author, you can install the firefox “Form History Control” addon which lets you browse all the data from a nice UI.

While I do have my laptop disk running with dm-crypt block device encryption, I still have a golden rule that no sensitive data is stored in cleartext in files since, while the OS is running, disk encryption is no real barrier malicious programs that find their way on to the machine. If it is a work provided machine, the data may also be finding its way into the corporate backup system & who knows if that is encrypted well enough. Any files with sensitive data have additional GPG encryption and really sensitive data will be on a separate encrypted USB stick, again with extra encryption for the files themselves. Keeping form history in an unencrypted sqlite database in my laptop home directory clearly violates my security goals. Why would a $EVIL criminal go the trouble of creating a virus which installs a keystroke logger in someone’s browser, when they can get a veritable goldmine of data by simply taking a copy of the formhistory.sqlite file.

Having known about this problem since 2003,  a “fix” was applied in 2010 for firefox 4 which attempts to identify credit card numbers in forms and not store them in the form history. Great, now what about all the other data it is storing some of which is just as sensitive as credit card numbers, if not more so ? If credit card details get mis-used, liability is usually on the credit card company, but not so for social security numbers, bank account numbers, etc…

Needless to say, I have fixed my preferences in firefox so that it doesn’t remember form data, and deleted the formhistory.sqlite file to remove any existing stored data it had. I have to wonder how many users of firefox are out there running with the default history settings, without any realization that a great deal of their sensitive personal data is being silently stored in plain sight for any malicious virus/trojan to capture. The annoying thing is form history can be really useful for certain websites where there’s alot of mundane non-sensitive data that needs entering frequently. As the last commenter on the bug 188285 proposed, it would be desirable if firefox prompted before remembering form data with options “Yes, Not at this time, Never for this site”. It would also be desirable for data in the formhistory.sqlite file to be encrypted as firefox can already do when remembering passwords.

To stop firefox recording your form history:

  • Select menu Edit -> Preferences
  • Navigate to tab Privacy
  • Change Firefox will: Remember history to Firefox will: Use custom settings for history
  • Unselect Remember search and form history

To clear your existing form history

  • Select menu Tools -> Clear Recent History
  • Change Time range to clear: Last Hour to Time range to clear: Everything
  • Expand details
  • Make sure Form History is selected (optionally unselect other bits you don’t want cleared)
  • Press Clear Now

If you are super paranoid, then shutdown firefox and delete the file $HOME/.mozilla/firefox/XXXXXXXX.default/formhistory.sqlite and then start firefox again

5 Comments

Thub said at 5:41 pm on June 23rd, 2011:

Personally, I set the master password (Options –> Security –> Use a master password), which causes the saved passwords and form history to be encrypted. It does however have the disadvantage that I need to enter the password once, the first time Firefox looks at this information in each Firefox session.

Daniel Berrange said at 7:01 pm on June 23rd, 2011:

AFAICT, the firefox master password only protects your saved passwords. The form data history is still stored in plain text in the formhistory.sqlite database file. So if you’re relying on the master password to protect your form history, you might want to double check the contents of the sqlite database to double check it really is encrypting your data. In my tests the data was always unencrypted even with a master password set.

Dianna said at 6:06 pm on June 23rd, 2011:

Thank you so much for sharing this. I am indeed paranoid and terrified of my personal info falling into the hands of those who shouldn’t have it. It’s reassuring to know there are ways to combat identity theft.

Cristian Ciupitu said at 12:58 am on July 15th, 2011:

That’s why I use a temporary separate Firefox profile for shopping.

Eli said at 1:57 am on September 4th, 2011:

Rather than simply delete the formhistory.sqlite database, one should overwrite it first. The unlinked file may be accessible for quite a long time, depending on filesystem usage.

On GNU systems, the shred utility will make recovery infeasible:
shred -fuzv “${HOME}”/.mozilla/firefox/*/formhistory.sqlite

Leave a Reply





Spam protection: Sum of f1ve plus t3n ?: