Closed
Bug 255948
Opened 20 years ago
Closed 10 years ago
Remove stored password after the account is deleted.
Categories
(MailNews Core :: Account Manager, defect)
MailNews Core
Account Manager
Tracking
(thunderbird36 fixed)
RESOLVED
FIXED
Thunderbird 36.0
Tracking | Status | |
---|---|---|
thunderbird36 | --- | fixed |
People
(Reporter: baruch, Assigned: javirid)
References
Details
Attachments
(1 file, 2 obsolete files)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52 [en] Build Identifier: I created an e-mail account in Thunderbird, and stored the password. I then deleted the account. Later on I made changes to the POP3 server, including changing the password on the server. When I tried to re-create the account in Thunderbird, I got a message telling me the password was incorrect. Thunderbird had retained the old password, even though I had deleted that account from Thunderbird. This is inconvenient, but more importantly, it has security issues. Reproducible: Always Steps to Reproduce: 1.Create an e-mail account. 2.Save its password, using Password Mansger. 3.Delete the account. 4.Recreate the account. 5.The password will still be there. Actual Results: As described above. Expected Results: IMNSHO, it should have automatically deleted the password, both for convenience, and to reduce security risk.
Comment 1•20 years ago
|
||
I can confirm this behaviour, although I lack the bugzilla authority to actually mark the bug as confirmed.
Flags: blocking-aviary1.0?
Comment 3•20 years ago
|
||
(In reply to comment #2) > not a 1.0 blocker i can confirm the bug and it's really ugly. i can't use a given account with thunderbird since release 0.7(!) and i'm waiting 'til this is solved - my only chance to use this account with thunderbird! would you at least describe a user-workaround (deleting a file? maybe how to wipe _all_ passwords or something) - it's really frustrating to see my account in thunderbird but being unable to use it, just getting "unable to connect to [hostname]" - acts like microsoft-software ;-) just kidding.. at least confirm this one and provide a workaround for long-time users.. it's really annoying..
Comment 4•20 years ago
|
||
by the way, i'm using 1.0 on win2k right now, just downloaded 1.0 today in the hope this one got fixed..
Comment 5•20 years ago
|
||
there's a simple workaround - you can go into the password manager and delete the passwords yourself. Tools | options | advanced | view saved passwords
Comment 6•19 years ago
|
||
I have Thunderbird version 1.0.2 on Fedora Core 3 and was very surprised that after about 4 months after removing the account and then recreating it that I did not get the password prompt. Scary. It took me a while to think to look at Preferences/Advanced and seeing that Thunderbird shares the password file with Firefox. I then used the Master Password feature to encrypt the passwords in TB. I can still read the passwords from Firefox. Is this a bug? Or a security issue in both FF and TB?
Comment 7•19 years ago
|
||
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•17 years ago
|
QA Contact: general
Updated•16 years ago
|
Assignee: mscott → nobody
Comment 8•16 years ago
|
||
This bug still exists in 2.0.0.16 - I think its pretty important that this gets fixed.
Reporter | ||
Comment 9•16 years ago
|
||
This bug is part of a much more serious problem with security that is deliberately built into Thunderbird. Using the password management feature of Thunderbird, it is a simple matter to view your passwords in cleartext. That is a serious and unacceptable security risk, but the behavior is offered as a "feature". Since Thunderbird is designed to allow anyone with access to the computer to view the passwords to your active accounts in cleartext, I don't think there will be any effort to prevent people from getting at passwords to inactive, supposedly deleted accounts. Thunderbird security is broken by design.
Comment 10•16 years ago
|
||
The problem I have with this bug compared to the ability to view your passwords in cleartext is that when you delete an account, you expect that the passwords are no longer available. At least with the "save password" feature you are aware that the password is saved somewhere, and consequently viewable. The problem with this is that, if you delete an account, the password hangs around. If someone was to later readd that account, they would not require a password to access it. The delete account feature gives a false sense of security given that it does not actually delete everything related to that acount.
Reporter | ||
Comment 11•16 years ago
|
||
(In reply to comment #10) > The problem I have with this bug compared to the ability to view your passwords > in cleartext is that when you delete an account, you expect that the passwords > are no longer available. At least with the "save password" feature you are > aware that the password is saved somewhere, and consequently viewable. > I see your point and I sympathize with it. That's why I originally reported this four years ago. Unfortunately, given the low priority security has with Thunderbird, I am not convinced anyone will consider this bug important enough to fix it.
Comment 12•15 years ago
|
||
can you reproduce using version 3 beta? If you do, please see the problem comment. If you do not, please close the bug with resolution WORKSFORME (or some appropriate resolution, but not FIXED) ** Beta 2 has fixes Bug 239131 Thunderbird should use the new password manager, which includes numerous improvements http://www.mozillamessaging.com/en-US/thunderbird/early_releases/ (suggest you backup your profile before using beta release)
Component: General → Security
QA Contact: general → thunderbird
Assignee | ||
Updated•10 years ago
|
OS: Windows XP → All
Hardware: x86 → All
Summary: Stored password are retained after the account is deleted. → Remove stored password after the account is deleted.
Assignee | ||
Comment 14•10 years ago
|
||
Modified function was reviewed previously by Ian. ;mconley has been also a reviewer, but his patches-to-be-reviewed queue seems to be really long right now.
Attachment #8493185 -
Flags: review?(iann_bugzilla)
Component: Security → Account Manager
Product: Thunderbird → MailNews Core
Version: unspecified → Trunk
Comment 15•10 years ago
|
||
Comment on attachment 8493185 [details] [diff] [review] Removes the password information when account is deleted >+++ b/mailnews/base/prefs/content/AccountManager.js >+ // Remove password information. >+ try { >+ var tmpType = server.type; You don't seem to use this variable anywhere. >+ var srvConcatenation = server.type + "://" + server.hostName; Tend to use "let" rather than "var". Not that keen on the variable name, maybe serverUri or serverUrl or just url >+ >+ var logins = Services.logins.findLogins({}, srvConcatenation, >+ null, srvConcatenation); let >+ >+ for (var i = 0; i < logins.length; i++) { let >+ if (logins[i].username==server.username) { Need spaces around == >+ Services.logins.removeLogin(logins[i]); >+ break; >+ } >+ } >+ } >+ catch (ex) { >+ Components.utils.reportError("Failure when removing password: " + ex); >+ } f=me for the moment as I'd like to review the revised patch. As this is shared code (between TB and SM), then it also needs a review from someone like mkmelin
Attachment #8493185 -
Flags: review?(iann_bugzilla) → feedback+
Assignee | ||
Comment 16•10 years ago
|
||
Changed var into let, renamed concatenated variable, removed unused variable and polished spaces.
Attachment #8496616 -
Flags: review?(mkmelin+mozilla)
Attachment #8496616 -
Flags: review?(iann_bugzilla)
Comment 17•10 years ago
|
||
Comment on attachment 8496616 [details] [diff] [review] Patch v1.0.1 Review of attachment 8496616 [details] [diff] [review]: ----------------------------------------------------------------- Seems to work fine, thx Javier! ::: mailnews/base/prefs/content/AccountManager.js @@ +793,5 @@ > + } > + } > + } > + catch (ex) { > + Components.utils.reportError("Failure when removing password: " + ex); AFAIK there's nothing throwing here? so we don't need a try/catch
Attachment #8496616 -
Flags: review?(mkmelin+mozilla) → review+
Comment 18•10 years ago
|
||
Comment on attachment 8496616 [details] [diff] [review] Patch v1.0.1 Agreed, no need for try/catch
Attachment #8496616 -
Flags: review?(iann_bugzilla) → review+
Assignee | ||
Comment 19•10 years ago
|
||
Assignee | ||
Comment 20•10 years ago
|
||
Comment on attachment 8496616 [details] [diff] [review] Patch v1.0.1 Review and Feedback information has been included into the new patch.
Attachment #8496616 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Attachment #8493185 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 21•10 years ago
|
||
https://hg.mozilla.org/comm-central/rev/961310d3535b -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 36.0
Keywords: checkin-needed
Updated•9 years ago
|
status-thunderbird36:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•