Master passord bypassed by Greasyfork script Show plaintext password on MouseOver that shows all saved passwords for pages on login # ff 48 and previous and/or later




a year ago
a year ago


(Reporter: zh0so, Unassigned)


48 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)




a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

Install maybe others work too.
If you enter the masterpassword once and then you will see all your passwords in plaintext on any login page without entering it again like in>saved login settings.

Actual results:

If i login to a site with a saved password i enter my masterpassword once then all of my other saved login pages appear in plaintext on all sites i have more than 150 saved passwords all unique and 30~128+ characters.
If i leave my browser open in a shared space 5min someone can see copy and steal my passwords very easy and very fast, i already use grease monkey and installing that took nothing at all,and no security checks.
 Clicking to settings>saved logins presents an index of all the sites i have saved passwords for requiering no security check.
Same problem again settings>privacy>cookies exception/ show cookies/ no security check.

Expected results:

If i set a master password sensitive settings and config should be frozen and out of reach behind the password, and prevent the user from installing any addons,forks or scripts to them,or presenting the password index,saved cookies/cookie exceptions or rules,i should be able to set a level to it from entering it once or everytime.
I should be able to lock firefox entirely when i am away forcing me to enter my password when i return.

Comment 1

a year ago
I tester it some more and found at least:
are compleetly bypassed without any masterpassword entered
and there are many other sites witch i wanted to try but dont have accounts to.


a year ago
Severity: normal → critical
OS: Unspecified → Windows 7
Hardware: Unspecified → x86
The website can also read your password, and you could read it using the web console or browser console. At the point where we insert it into a page, it's world-readable. This is a known limitation of any password manager that autofills logins.

Adding a lot more master password prompts after you have already provided your master password would defeat the point - you'd be typing your master password all the time. Then there's bookmarks and your search history on tools like Google, so even us "locking down" history and saved passwords wouldn't really help.

(In reply to zh0so from comment #0)
> If i leave my browser open in a shared space 5min

"Don't do that."

> I should be able to lock firefox entirely when i am away forcing me to enter
> my password when i return.

You should use your OS screen lock mechanism for this. "Locking" only Firefox would not help you, as the user could just use a file manager and copy files off the disk instead, or read the machine's memory with an external tool, or...

Even with screen lock on, it would still allow people to use hardware to manipulate the machine. Don't leave your machine alone with people you don't trust.
Group: firefox-core-security
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 933223

Comment 3

a year ago
I have found that masterpassword+ addon (witch you could mention) works just as i intented to use the password and does no start the browser without entering my code so it seems copying my profile is useless and locks the entire browser as i wish,
 still the problem with modifing config and installing any addons without security checks and presenting the password index,saved cookies/cookie exceptions or rules still remains,and that script still shows anything just as before.
Now with this ramdom info that i found and just gave you in the bug i can steal passwords where i wish,and i dont know how to use the console.

Scrubing this as a no big deal, you make me wonder why do i even bother posting bugs directly to you maybe i should send them to public to try them for themselves and then people will use something else that actually works.
You need to log in before you can comment on or make changes to this bug.