While comment 5 statement is totally correct, it's also unrealistic - it would require the "attacker" to have minimal knowledge about profiles and password manager. Therefore, I feel that the approach to the problem is that if there's intent and premeditation, there's nothing can be currently done, so we either do bug 1261977 or do nothing. But the point I was trying to make is that it is way too easy to access the user's credentials on a default setup and in my view.
Bug 1593580 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
While comment 5 statement is totally correct, it's also unrealistic - it would require the "attacker" to have minimal knowledge about profiles and password manager. Therefore, I feel that the approach to the problem is that if there's intent and premeditation, there's nothing can be currently done, so we either do bug 1261977 or do nothing. But the point I was trying to make is that it is way too easy to access the user's credentials on a default setup.