1232227 - oauth token for gmail incorrectly saved when "Use password manager to remember" box is unchecked

Status: RESOLVED WONTFIX

(Thunderbird :: Security, defect)

Description

[Kenneth]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce:

Using LXLE 14.04.3. Setup GMail account in new install of Thunderbird. Entered email and password, leaving the save password box unchecked.


Actual results:

Thunderbird still remembers the password.


Expected results:

I should have been prompted for a password. This is a security issue with laptops.

Comment 1

[Wayne Mery (:wsmwk)]

Kenneth
I could not reproduce with a non-gmail account.

Does it happen for you with non-gmail account?
if only gmail, what auth process did you use?
 oauth?  app password?

Comment 2

[Kenneth]

Wayne
I cannot reproduce this with a non-gmail account either.

I used the default settings Thunderbird creates, oauth2, etc. I'm not signing in with app password.

Even though I don't have the laptop using LXLE 14.04.3., I am using Thunderbird under Xubuntu 16.04 on a new one.

Keyring is disabled.

Comment 3

[Kenneth]

Yes it only happens with a gmail account.

Comment 4

[Wayne Mery (:wsmwk)]

is saving the oauth token is desired default behavior regardless of the checkbox?
if so, then invalid?

Comment 5

[Magnus Melin [:mkmelin]]

I'd say this is how it should be working. The account setup is a bit of a special case, but since how things work for any other later cases you simply never get the option of saving or not, when it comes to OAuth.