Closed Bug 1284343 Opened 8 years ago Closed 8 years ago

Extension displays plaintext passwords without asking for master password

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
46 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kawb, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160319022113 Steps to reproduce: - Master password is set - Install Password Exporter extension (https://addons.mozilla.org/en-US/firefox/addon/password-exporter/ | https://github.com/fligtar/password-exporter) - Use the extension to export saved passwords as plaintext Actual results: - Password were exported. Master password was not prompted Expected results: - Request master password before the extension can retrieve passwords, or at least before they can be written as plaintext Issue was opened at GitHub (https://github.com/fligtar/password-exporter/issues/55), the extension dev suggests that the issue relies in the Login Manager API, not the extension.
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Jorge's analysis is incorrect and I've commented on GitHub. It's up to the extension to prompt if a master password is set.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
From GitHub: > When displaying passwords in plaintext to users (like exporting does) the > consumer should be prompting for the master password as additional security. > That's how the password manager UI works, the prompt before revealing isn't > implemented by the loginmanager code itself, it's the UI which prompts. See > https://dxr.mozilla.org/mozilla-central/rev/88bebcaca249aeaca9197382e89d35b02be8292e/toolkit/components/passwordmgr/content/passwordManager.js#494 Correct me if I'm wrong, but from that explanation I understand that the master password is just a cosmetic measure, creating a false sense of security. An attacker with minimal technical knowledge (or none at all, installing the mentioned extension) will be able to retrieve the passwords as if there were no master password at all. A warning about this fact in https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins would be in the best interest of users.
Also, this statement at http://kb.mozillazine.org/Master_password is invalid > By setting a Master Password, anyone using your profile will be prompted to enter the master password when access to your stored passwords is needed.
You need to log in before you can comment on or make changes to this bug.