New syncing tool introduces major security flaw

RESOLVED WONTFIX

Status

()

Firefox
Sync
RESOLVED WONTFIX
4 years ago
4 years ago

People

(Reporter: Chris, Unassigned)

Tracking

32 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

Enable device syncing.

Once enabled across your devices it only takes one device to fall in to the wrong hands for a mere few minutes or for a hacker to gain access to your computer via other means.

Once they have access to your machine they can get access to your master password file and extract the mozilla syncing account password

Once they have done that they can set up a device on your account that forevemore syncs to your account and thus learn all your passwords when they are changed what sites you vsit and all the other data the syncing tool shares accross devices

syncing should be disabled until this major design fault is rectified.

It is even possible for a user to setup syncing without the target knowing its in operation and therefore track them.

Lots of terrorist states such as the USA would love this.


Actual results:

Reveals passwords and browsing history to 3rd party. Allows for ongoing tracking of a user details


Expected results:

Syncing should never have been deployed in such a way as it forces a user to disable the master password.
(Reporter)

Updated

4 years ago
Severity: normal → critical

Updated

4 years ago
Component: Untriaged → Sync
Flags: needinfo?(gavin.sharp)
refer to: [10 Immutable Laws of Security](http://technet.microsoft.com/library/cc722487.aspx)
(In reply to Chris from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101
> Firefox/32.0
> Build ID: 20140923175406
> 
> Steps to reproduce:
> 
> Enable device syncing.
> 
> Once enabled across your devices it only takes one device to fall in to the
> wrong hands for a mere few minutes or for a hacker to gain access to your
> computer via other means.
> 

Law 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. 
Law 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

> Once they have access to your machine they can get access to your master
> password file and extract the mozilla syncing account password
> 
> Once they have done that they can set up a device on your account that
> forevemore syncs to your account and thus learn all your passwords when they
> are changed what sites you vsit and all the other data the syncing tool
> shares accross devices
> 

Law 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

> syncing should be disabled until this major design fault is rectified.
> 
> It is even possible for a user to setup syncing without the target knowing
> its in operation and therefore track them.
> 
> Lots of terrorist states such as the USA would love this.
> 
> 
> Actual results:
> 
> Reveals passwords and browsing history to 3rd party. Allows for ongoing
> tracking of a user details
> 
> 
> Expected results:
> 
> Syncing should never have been deployed in such a way as it forces a user to
> disable the master password.
Group: core-security
Severity: critical → normal
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(gavin.sharp)
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → WONTFIX
If an attacker has access to your device and you don't have administrative protections (passwords, encryption, etc) to prevent access then all data on that device should be considered compromised. Regardless of sync, password management solution, or otherwise. This information would be available. We also recommend that users enable a master password[^1] to further protect their password (synched or not). 

No protection scheme is perfect, but it's nearly impossible to protect from an unrestricted physical attack or from the user taking an action that gives access to a system (intentionally or unintentionaly).

[^1):https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins?redirectlocale=en-US&redirectslug=Protecting+stored+passwords+using+a+master+password
(Reporter)

Comment 3

4 years ago
You Miss my point.

If a person gets access to your system using this serious flaw they can continue to monitor your browsing and any new passwords remotely

For example a spouse could use this flaw to spy on their partner on an ongoing basis. Don't you consider that significant? I certainly do.

Yes they could install a keylogger. but this is far more elegant and less intrusive and impossible to detect by normal means which would pick up a key logger.

I think it is incorrect to dismiss this as a wont fix.

Mozilla is making it trivial to spy on a persons online activities.
(Reporter)

Comment 4

4 years ago
As to the comment about enabling a master password...

That is the problem!

if you want to sync your passwords (the most important feature of syncing IMHO) Mozilla RECOMMENDS turning OFF master passwords.

That is why I strongly recommend disabling sync until this security flaw is fixed
You need to log in before you can comment on or make changes to this bug.