Closed Bug 540728 Opened 14 years ago Closed 14 years ago

Weave will sync passwords from a profile with a master password to one without

Categories

(Cloud Services :: General, defect)

Product:
Cloud Services
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bogofilter+mozilla, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: 

If you add Weave to a profile with no master password, it will happily sync all your passwords, even if they came from a profile with a master password.  This of course leaves all your passwords in the clear.

Suggestion:  Instead of silently syncing, Weave should alert the user and prompt to set a master password or go through a "I'm really sure I want to do this" type prompt.


Reproducible: Always
One issue that currently would prevent this bug from being fixed is that Weave supports Firefox Mobile, and Firefox Mobile doesn't offer Master Passwords.  Not sure if there's a bug filed on that.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Depends on: 540769
(In reply to comment #1)
> Not sure if there's a bug filed on that.

Filed bug 540769 on this.
Oh! Boy! I was about to report this same bug today. I installed weave 1.0rc2 on a new account and gave the weave password. I then went to the security tab and without my setting a new Master password, upon my clicking "Show Passwords", FF allowed me me to see all passwords in the clear with just one question "Are you sure you want to display all passwords?". I like weave a lot, but this big hole worries me. Can it be fixed asap?
This is something that's come up before, and ultimately we are not going to enforce the master password across devices.  Here's why:

* Weave is not simply a Firefox service.  These are primary targets, but a key design goal has been to allow access from many different contexts.  If someone wanted to write a plugin for IE to share Weave data, the master password requirement wouldn't make sense.  Adding support to Fennec doesn't change this.
* Not all machines are created equal.  If a user has a desktop in their home, and a laptop they take everywhere, it is a common pattern to have more security options enabled on the portable device, due to the dramatically higher risk of compromise due to theft/loss/etc.
* Weave, as much as possible, should not control how data is used outside of the transmission endpoints.  Our goal is to provide a secure transport mechanism, not to provide local security.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
(In reply to comment #4)
> This is something that's come up before, and ultimately we are not going to
> enforce the master password across devices.  Here's why:

While I agree that enforcement is not desirable, is it so unreasonable to warn users?
Warn users when? During setup? During first sync?

We could potentially sync some sort of value (as a pref, maybe?) to denote that the MP was set on another machine.  Not at all convinced it's worth it though, especially since there's a lot of talk of changing how the MP works in Firefox.

Telling users lots of information is generally not good UI, in any case.
You should warn during setup, because that's when the user is interacting with the wizard and getting Weave set up.  Warning during sync would just be an unwelcome interruption.  Ideally, you would also warn any time the sync password pref is toggled on, even after initial setup.

I'm not suggesting you enforce a master password, but please reconsider some sort of warning.  It wouldn't even require a dialog or extra page in the Weave setup wizard, you could just have a bright yellow box in one of the wizard pages with something like:

    You have chosen to sync your passwords, but there is no master password set. 
    |x| Sync passwords anyway

    -or-

    You have chosen to sync your passwords, but there is no master password set. 
    |x| Sync passwords anyway
     _____________________
    | Set Master Password |
     ---------------------

I'm very technical and this behavior totally caught me off guard.  I discovered it when I synced my profile from my primary computer to my account on my parents computer, a computer that all kinds of other people use.  I had a mild heart attack when I realized some time later that all my passwords (including numerous financial and banking sites) were sitting on the hard drive unprotected.

Firefox has always been a program I felt I could trust with my personal information, which is why I was so shocked to discover that Weave was being so cavalier with the most sensitive information Firefox holds.  Please reconsider at least giving the user a heads up that they're about to become exposed in a way they probably don't want to be.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The bug, as filed and summarized, is WONTFIX.  How clients protect the data that Weave transports is up to the client, but Weave will not enforce or attempt to require a master password for users.

If you want to file a bug on detecting that the master password is set on one machine, and reminding users who _already_ have a master password on another computer that they may want to do the same on that machine, that's a separate bug, and this bug should not be morphed to cover that narrow case.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WONTFIX
Filed bug 540975 per comment 8.
You need to log in before you can comment on or make changes to this bug.