Closed Bug 1232227 Opened 8 years ago Closed 4 years ago

oauth token for gmail incorrectly saved when "Use password manager to remember" box is unchecked

Categories

(Thunderbird :: Security, defect)

38 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: x.xeroid, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce:

Using LXLE 14.04.3. Setup GMail account in new install of Thunderbird. Entered email and password, leaving the save password box unchecked.


Actual results:

Thunderbird still remembers the password.


Expected results:

I should have been prompted for a password. This is a security issue with laptops.
Kenneth
I could not reproduce with a non-gmail account.

Does it happen for you with non-gmail account?
if only gmail, what auth process did you use?
 oauth?  app password?
Flags: needinfo?(x.xeroid)
Whiteboard: [closeme 2016-12-15]
Wayne
I cannot reproduce this with a non-gmail account either.

I used the default settings Thunderbird creates, oauth2, etc. I'm not signing in with app password.

Even though I don't have the laptop using LXLE 14.04.3., I am using Thunderbird under Xubuntu 16.04 on a new one.

Keyring is disabled.
Yes it only happens with a gmail account.
Blocks: 849540
Component: Untriaged → Security
Summary: Password remembered with unchecked box → Password for gmail incorrectly saved when "Use password manager to remember" box is unchecked
Flags: needinfo?(x.xeroid)
Whiteboard: [closeme 2016-12-15]

is saving the oauth token is desired default behavior regardless of the checkbox?
if so, then invalid?

Flags: needinfo?(mkmelin+mozilla)
Summary: Password for gmail incorrectly saved when "Use password manager to remember" box is unchecked → oauth token for gmail incorrectly saved when "Use password manager to remember" box is unchecked

I'd say this is how it should be working. The account setup is a bit of a special case, but since how things work for any other later cases you simply never get the option of saving or not, when it comes to OAuth.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.