Closed Bug 119828 Opened 23 years ago Closed 23 years ago

Credit Card information plainly visible w/o supplying a password

Categories

(Toolkit :: Form Manager, defect)

Product:
Toolkit
Component:
Form Manager
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: bugzilla, Assigned: morse)

Details

(Keywords: privacy) 

Even with the Master Password feature turned on, I'm only six clicks away from
seeing someones stored credit card information in Mozilla. Edit | Prefs |
Privacy and Security | Forms | View Stored Data | Credit Card.

That's very uncool. 

There should either be a password for using my profile, or a password on View
Stored Data at the very least.
Keywords: privacy
If you had the data encrypted rather than obscured, you would not be able to 
view the data.  When you hit the "view" button, you would have received a 
messgae asking for your master password.  And if you failed to supply it, you 
would have received a message saying "unable to unlock the database".
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
What are you talking about?

Where is that an option?

I, like most people, put trust in Mozilla that I didn't have to find an obscure
option to keep my data safe.
It's in tasks->privacy->password-manager->encrypt

When you first saved your credit-card information you were presented with a 
dialog explaining all this to you, and telling you that if you wanted security 
you need to encrypt your data.  I guess you didn't read that dialog.

To see what I'm talking about, create a fresh profile and then save some form 
data.  You'll see that dialog.
bz on irc.mozilla.org showed me Preferences > Privacy and Security > Web Passwords.

I'm guessing there's a dialog that pops up and tells me that I need to encrypt
my data, but if that's all it does (tell me, not give me the option to do it
right then) it's deficient. It should give me the option of right then and there
turning this on, IMO. Should I file a new bug suggesting that or modify this one?
See the discussion in bug 43503.  It explains that this dialog is really a CYA 
thing and not really intended to give users the option to set the encryption 
mode at that time.  If is presented for legal reasons only, so that a person 
experiencing what you did can't hold Netscape/Mozilla liable when your sensitive 
information is compromised.

Verified
Status: RESOLVED → VERIFIED
Product: Core → Toolkit
QA Contact: tpreston → form.manager
You need to log in before you can comment on or make changes to this bug.