Closed Bug 255948 Opened 20 years ago Closed 10 years ago

Remove stored password after the account is deleted.

Categories

(MailNews Core :: Account Manager, defect)

Product:
MailNews Core
Component:
Account Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(thunderbird36 fixed)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 36.0
Tracking Flags:
Tracking Status
thunderbird36 --- fixed

People

(Reporter: baruch, Assigned: javirid)

References

Details

Attachments

(1 file, 2 obsolete files)

Remove stored password after the account is deleted, f+
1.40 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52  [en]
Build Identifier: 

I created an e-mail account in Thunderbird, and stored the password.  I then 
deleted the account.  

Later on I made changes to the POP3 server, including changing the password on 
the server.

When I tried to re-create the account in Thunderbird, I got a message telling me 
the password was incorrect.

Thunderbird had retained the old password, even though I had deleted that 
account from Thunderbird.  This is inconvenient, but more importantly, it has 
security issues.

Reproducible: Always
Steps to Reproduce:
1.Create an e-mail account.
2.Save its password, using Password Mansger.
3.Delete the account.
4.Recreate the account.
5.The password will still be there.

Actual Results:  
As described above.

Expected Results:  
IMNSHO, it should have automatically deleted the password, both for convenience, 
and to reduce security risk.
I can confirm this behaviour, although I lack the bugzilla authority to actually
mark the bug as confirmed.
Flags: blocking-aviary1.0?
not a 1.0 blocker
Flags: blocking-aviary1.0? → blocking-aviary1.0-
(In reply to comment #2)
> not a 1.0 blocker

i can confirm the bug and it's really ugly. i can't use a given account with 
thunderbird since release 0.7(!) and i'm waiting 'til this is solved - my only 
chance to use this account with thunderbird!

would you at least describe a user-workaround (deleting a file? maybe how to 
wipe _all_ passwords or something) - it's really frustrating to see my account 
in thunderbird but being unable to use it, just getting "unable to connect to 
[hostname]" - acts like microsoft-software ;-) just kidding..

at least confirm this one and provide a workaround for long-time users.. it's 
really annoying..



by the way, i'm using 1.0 on win2k right now, just downloaded 1.0 today in the 
hope this one got fixed.. 
there's a simple workaround - you can go into the password manager and delete
the passwords yourself. Tools | options | advanced | view saved passwords
I have Thunderbird version 1.0.2 on Fedora Core 3 and was very surprised that
after about 4 months after removing the account and then recreating it that I
did not get the password prompt. Scary. It took me a while to think to look at
Preferences/Advanced and seeing that Thunderbird shares the password file with
Firefox. 

I then used the Master Password feature to encrypt the passwords in TB. I can
still read the passwords from Firefox.

Is this a bug? Or a security issue in both FF and TB?


This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: general
Assignee: mscott → nobody
This bug still exists in 2.0.0.16 - I think its pretty important that this gets fixed.
This bug is part of a much more serious problem with security that is deliberately built into Thunderbird.  Using the password management feature of Thunderbird, it is a simple matter to view your passwords in cleartext.  That is a serious and unacceptable security risk, but the behavior is offered as a "feature".

Since Thunderbird is designed to allow anyone with access to the computer to view the passwords to your active accounts in cleartext, I don't think there will be any effort to prevent people from getting at passwords to inactive, supposedly deleted accounts.

Thunderbird security is broken by design.
The problem I have with this bug compared to the ability to view your passwords in cleartext is that when you delete an account, you expect that the passwords are no longer available. At least with the "save password" feature you are aware that the password is saved somewhere, and consequently viewable. 

The problem with this is that, if you delete an account, the password hangs around. If someone was to later readd that account, they would not require a password to access it. The delete account feature gives a false sense of security given that it does not actually delete everything related to that acount.
(In reply to comment #10)
> The problem I have with this bug compared to the ability to view your passwords
> in cleartext is that when you delete an account, you expect that the passwords
> are no longer available. At least with the "save password" feature you are
> aware that the password is saved somewhere, and consequently viewable. 
> 

I see your point and I sympathize with it.  That's why I originally reported this four years ago.  Unfortunately, given the low priority security has with Thunderbird, I am not convinced anyone will consider this bug important enough to fix it.
can you reproduce using version 3 beta?

If you do, please see the problem comment.
If you do not, please close the bug with resolution WORKSFORME (or some
appropriate resolution, but not FIXED)

** Beta 2 has fixes Bug 239131 Thunderbird should use the new password
manager, which includes numerous improvements
http://www.mozillamessaging.com/en-US/thunderbird/early_releases/
(suggest you backup your profile before using beta release)
Component: General → Security
QA Contact: general → thunderbird
OS: Windows XP → All
Hardware: x86 → All
Summary: Stored password are retained after the account is deleted. → Remove stored password after the account is deleted.
Modified function was reviewed previously by Ian. ;mconley has been also a reviewer, but his patches-to-be-reviewed queue seems to be really long right now.
Attachment #8493185 - Flags: review?(iann_bugzilla)
Assignee: nobody → leofigueres
Status: NEW → ASSIGNED
Component: Security → Account Manager
Product: Thunderbird → MailNews Core
Version: unspecified → Trunk
Comment on attachment 8493185 [details] [diff] [review]
Removes the password information when account is deleted

>+++ b/mailnews/base/prefs/content/AccountManager.js

>+  // Remove password information.
>+  try {
>+    var tmpType = server.type;
You don't seem to use this variable anywhere.

>+    var srvConcatenation = server.type + "://" + server.hostName;
Tend to use "let" rather than "var". Not that keen on the variable name, maybe serverUri or serverUrl or just url
>+
>+    var logins = Services.logins.findLogins({}, srvConcatenation,
>+                                            null, srvConcatenation);
let
>+
>+    for (var i = 0; i < logins.length; i++) {
let
>+      if (logins[i].username==server.username) {
Need spaces around ==
>+        Services.logins.removeLogin(logins[i]);
>+        break;
>+      }
>+    }
>+  }
>+  catch (ex) {
>+    Components.utils.reportError("Failure when removing password: " + ex);
>+  }
f=me for the moment as I'd like to review the revised patch.
As this is shared code (between TB and SM), then it also needs a review from someone like mkmelin
Attachment #8493185 - Flags: review?(iann_bugzilla) → feedback+
Attached patch Patch v1.0.1 (obsolete) — Splinter Review 
Changed var into let, renamed concatenated variable, removed unused variable and polished spaces.
Attachment #8496616 - Flags: review?(mkmelin+mozilla)
Attachment #8496616 - Flags: review?(iann_bugzilla)
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Review of attachment 8496616 [details] [diff] [review]:
-----------------------------------------------------------------

Seems to work fine, thx Javier!

::: mailnews/base/prefs/content/AccountManager.js
@@ +793,5 @@
> +      }
> +    }
> +  }
> +  catch (ex) {
> +    Components.utils.reportError("Failure when removing password: " + ex);

AFAIK there's nothing throwing here? so we don't need a try/catch
Attachment #8496616 - Flags: review?(mkmelin+mozilla) → review+
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Agreed, no need for try/catch
Attachment #8496616 - Flags: review?(iann_bugzilla) → review+
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Review and Feedback information has been included into the new patch.
Attachment #8496616 - Attachment is obsolete: true
Attachment #8493185 - Attachment is obsolete: true
Keywords: checkin-needed
https://hg.mozilla.org/comm-central/rev/961310d3535b -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 36.0
Keywords: checkin-needed
Depends on: 1308767
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: