Security: Stored credentials can be extracted without master password via NSS API

[Kropiunig]

Summary

Thunderbird (and its underlying Mozilla credential storage) allows any local process to extract all stored email passwords in plaintext when no Primary/Master Password is configured — which is the default state.

The Problem

Mozilla's credential storage (logins.json + key4.db) uses NSS (Network Security Services) to encrypt stored passwords. However, when no Primary Password is set (the default), the encryption key in key4.db is protected by an empty string. This means:

1. Any application running under the same user account can load nss3.dll / libnss3.so
2. Call NSS_Init() with the profile path
3. Verify the empty master password via PK11_CheckUserPassword(slot, "")
4. Decrypt all stored credentials via PK11SDR_Decrypt()

This requires no privilege escalation, no exploitation of any vulnerability — just standard API calls to Mozilla's own libraries.

Proof of Concept

import ctypes, json, os, base64

nss3 = ctypes.CDLL('nss3.dll')  # or libnss3.so
nss3.NSS_Init(profile_path.encode())

slot = nss3.PK11_GetInternalKeySlot()
nss3.PK11_CheckUserPassword(slot, b'')  # Returns 0 = success

# Decrypt any entry from logins.json
nss3.PK11SDR_Decrypt(encrypted_input, decrypted_output, None)
# → plaintext password

Full working implementation exists at firefox_decrypt.

Impact

• All stored email credentials (IMAP, POP3, SMTP passwords) are extractable
• OAuth2 tokens for services like Gmail are also stored and extractable
• Any malware, rogue browser extension, or script running as the user can silently harvest all credentials
• Users are not warned that their passwords are effectively stored in plaintext equivalent

Suggested Mitigations

1. Require Primary Password on first credential save — Don't make it optional with an easy-to-dismiss prompt
2. OS keychain integration — Use Windows Credential Manager / macOS Keychain / Linux Secret Service instead of NSS's own key storage. These are protected by the OS login session and are not trivially accessible via API
3. Warning indicator — Show a persistent security warning in the account settings when credentials are stored without a Primary Password
4. Restrict NSS access — Consider sandboxing or access control on the profile directory to prevent other processes from loading the key database

Environment

• Thunderbird ESR (Desktop, Windows 11)
• Default configuration, no Primary Password set
• NSS credential storage with encType: 1 (3DES-CBC / AES-256-CBC via PBES2)

References

• firefox_decrypt — Demonstrates this exact extraction
• Mozilla Wiki: NSS
• This applies equally to Firefox, Thunderbird Desktop, and Thunderbird Android if the same credential storage model is used

[wmontwe]

Thank you for the report.

Please note that security issues should be reported through the vulnerability reporting form.