Closed
Bug 1284343
Opened 8 years ago
Closed 8 years ago
Extension displays plaintext passwords without asking for master password
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: kawb, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160319022113
Steps to reproduce:
- Master password is set
- Install Password Exporter extension (https://addons.mozilla.org/en-US/firefox/addon/password-exporter/ | https://github.com/fligtar/password-exporter)
- Use the extension to export saved passwords as plaintext
Actual results:
- Password were exported. Master password was not prompted
Expected results:
- Request master password before the extension can retrieve passwords, or at least before they can be written as plaintext
Issue was opened at GitHub (https://github.com/fligtar/password-exporter/issues/55), the extension dev suggests that the issue relies in the Login Manager API, not the extension.
Comment 1•8 years ago
|
||
Jorge's analysis is incorrect and I've commented on GitHub. It's up to the extension to prompt if a master password is set.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
From GitHub:
> When displaying passwords in plaintext to users (like exporting does) the
> consumer should be prompting for the master password as additional security.
> That's how the password manager UI works, the prompt before revealing isn't
> implemented by the loginmanager code itself, it's the UI which prompts. See
> https://dxr.mozilla.org/mozilla-central/rev/88bebcaca249aeaca9197382e89d35b02be8292e/toolkit/components/passwordmgr/content/passwordManager.js#494
Correct me if I'm wrong, but from that explanation I understand that the master password is just a cosmetic measure, creating a false sense of security. An attacker with minimal technical knowledge (or none at all, installing the mentioned extension) will be able to retrieve the passwords as if there were no master password at all. A warning about this fact in https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins would be in the best interest of users.
Also, this statement at http://kb.mozillazine.org/Master_password is invalid
> By setting a Master Password, anyone using your profile will be prompted to enter the master password when access to your stored passwords is needed.
You need to log in
before you can comment on or make changes to this bug.
Description
•