Home/ Questions/Q 6530931
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T09:48:57+00:00

I want to write a simple utility that extracts passwords from a Firefox password

  • 0

I want to write a simple utility that extracts passwords from a Firefox password database (the corresponding file is called signons.sqlite in the profile folder).

What I’ve done so far: Opened database using sqlite, retrieved encrypted username, encrypted password and address of website (all stored as std::string).

So, the only thing remaining is to decrypt the username and password strings.

I tried the following (PK11Decrypt ought to store the plaintext password in plaintext):

void Firefox_Importer::PK11Decrypt(string _cipheredBuffer, char **plaintext) {
  // declarations needed
  SECItem * request;
  SECItem * reply;
  unsigned int len = (unsigned int)_cipheredBuffer.length();
  const char* cipheredBuffer = (const char*)_cipheredBuffer.c_str();

  // generate request and reply SECItem; seems to work properly
  reply = SECITEM_AllocItem(NULL, NULL, 0);
  if (reply == NULL) cout << "Error allocating SECITEM." << endl;
  request = NSSBase64_DecodeBuffer(NULL, NULL, cipheredBuffer, len);
  if (request == NULL) cout << "Error decoding buffer." << endl;

  // the following is not working
  SECStatus tmp = PK11SDR_Decrypt(request, reply, NULL);
  if(tmp != SECSuccess) cout << "Something went wrong during decrypting" << endl;

  *plaintext = (char*)malloc(reply->len + 1);
  strncpy(*plaintext, (const char*)reply->data, reply->len);
  (*plaintext)[reply->len] = '\0';

  SECITEM_FreeItem(request, true);
  SECITEM_FreeItem(reply, true);
}

When PK11Decrypt is called, it prints Something went wrong during decrypting, indicating that the call to PK11SDR_Decrypt didn’t work properly. It always returns SECFailure (which corresponds to -1).

Does anybody have some hints or know what I’m doing wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It could be that the call to PK11_Authenticate() isn’t optional, even if no master password is set (yes, NSS is pretty messed up). So you might need to do the following first:

    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
if (!slot) cout << "Error getting internal slot" << endl;

SECStatus tmp = PK11_Authenticate(slot, PR_TRUE, NULL);
if (tmp != SECSuccess) cout << "Authentication error" << endl;

    Note that I pass NULL as context to PK11_Authenticate(), the context is only required if a password prompt should be displayed.

    Edit: Never mind, I noticed that PK11SDR_Decrypt() will call both functions internally. Given that you get SECFailure as result, it is likely that PK11_GetInternalKeySlot() fails which would indicate that NSS isn’t initialized properly.

    • 0