Abuse the Module

Dec 23, 2019

Approximately 360,000,000 people use Firefox every single day. 90 % of them or 324,000,000 people use Windows computers. Using a small utility called PasswordFox.exe, I can steal at least 324,000,000 passwords in all of 60 seconds.

PasswordFox OutputThis is what happens when a hacker abuses the module - and today, we'll go behind the screen to watch what's really going on.

According to Tim Johnson at the Mcclatchy Washington Bureau,

The average person is registered to **90** online accounts requiring passwords, and the number keeps growing


Not many people are capable of remembering 90 passwords - and our entire online experience depends on access to these accounts. Sounds like a paradox, but no one ever thinks about it, because our browsers, be it Chrome or Firefox save our passwords and do all the work for us. However, because we never think about it, we never stop to ask where those passwords actually are.

Encrypt Function

You're looking at a screenshot of our trusty partner x64dbg recording Firefox saving my passwords. Highlighted is a call to a function called `PK11_ENCRYPT` that lives in a module called `NS33.dll`. Firefox uses the above-mentioned function to store and encrypt my password. Sounds safe, right?

![Decrypt Function](https://vicarius-marketing.s3.amazonaws.com/decrpyt_final.jpg)

Above is a recording of Firefox **retrieving** my passwords. As soon as I click "show passwords", a call is made to `PK11_DECRYPT` that decrypts and retrieves your password. Still seems pretty safe right?


`PasswordFox` can (maliciously) use the `PK11_DECRYPT` function the same way Firefox can. There are two screenshots below. One is a recording of Firefox, and one of PasswordFox. Highlighted in both is the same exact call, to the same exact function - you guessed it - `PK11_DECRYPT`.


Operating Systems and many other things in the computing world were designed with trust in mind. Everyone can do everything, because why would anyone want to do anything malicious? In today's world, where huge sums of money stand to be easily made by abusing that naive trust, it doesn't really work.

Firefox can't do anything about it, Microsoft won't do anything about it.

Vicarius will.

Using sophisticated reverse engineering techniques, Vicarius Topia can identify modules that are likely to suffer abuse, and restrict access to them. With Topia in place, the next time PasswordFox tries to abuse the module, it'll be identified as an intruder, and promptly blocked.

Other popular security software will generally notify you of an attack, but can't do much to prevent it. This is why you need Vicarius Topia - no one else can keep you safe.

Written by

Roi Cohen

Recent Posts

  • 1

    Challenges of Cybersecurity Automation

    Kent Weigle May 07, 2021
  • 2

    Security Automation Best Practices

    Kent Weigle May 07, 2021
  • 3

    Part Human, Part Machine: Leverage Automation To Bolster Your Defense

    Kent Weigle May 07, 2021
  • 4

    Benefits of Automation in Cybersecurity

    Kent Weigle May 07, 2021
  • 5

    Will Automation Save the Security Team?

    Kent Weigle May 07, 2021

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial