Closed Bug 1168111 Opened 9 years ago Closed 9 years ago

Security issue in Sync

Categories

(Firefox :: Sync, defect)

38 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: dnelub, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150511103819

Steps to reproduce:

1. Firefox Browser v.38 is installed in my both computers at work and at home. And in both computer, Linux-Mint are installed as an operational system;
2. The Sync of Firefox has been activated in my both computer;
3. Recently I decided to sync my passwords stored in my computer at work in order use them at home too. And sure that these passwords are protected by a master password. 


Actual results:

4. At home, I was able to use and see my passwords without using my master password. 



Expected results:

5. Firefox should have asked me to digit my master password in order to access my stored password but it did not. 
6. As I am able to see my passwords at home, apparently my passwords are not encrypted by Firefox or Firefox keeps my password in plain text. My passwords should have been kept encrypted but they are not. 
7. Besides this, apparently the master password is not part of sync process. It must be.
Blocks: 970167
Component: Untriaged → Sync
I think your request is "Sync should sync with passwords protected by the master password".

This isn't as straightforward as you think, or is it particularly desirable.

Different devices support different kinds of storage. The master password encryption scheme itself is likely to change. Users expect to be able to recover their data using only their Firefox Account credentials. And so on.

So Sync encrypts your passwords on the wire and in storage, and leaves clients to protect them locally however they choose.

If you want Master Password to be turned on on all of your devices, simply turn it on on all of your devices.
No longer blocks: 970167
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Hi Richard, 

First of all, thanks for the answer but unfortunately your answer made it clear that sync of passwords in Firefox is not secure at all. Obviously I am not able to secure the invisibility of my passwords even though I am using a master password. 
I am really surprised with your answer. You just tried to close the case instead of solving it. And the worse is that you put the blame on the end-user. 

have a nice work
Resolution: WONTFIX → INVALID
You need to log in before you can comment on or make changes to this bug.