Closed Bug 1302609 Opened 9 years ago Closed 9 years ago

If a master password is set, passwords are still synced, without the master password

Categories

(Firefox :: Sync, defect)

Product:
Firefox
Component:
Sync
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: botond, Unassigned)

References

Details

This support page [1] about choosing what to sync using Firefox Sync, says the following about passwords: Passwords: this synchronizes your login information. This will be disabled if you use a master password However, that's not the behaviour I experienced. I had a master password set, and the option to sync passwords was still enabled. Moreover, Firefox proceeded to sync my passwords to new profiles, without enabling master password on these new profiles. Presumably this means the passwords were stored in the Sync database, encrypted only with the Firefox Account password, and not the master password. This is potentially a security gotcha! Suppose I chose a strong password as my master password, but only a moderately strong password as my Firefox Account password, because I didn't intend to store passwords in my Firefox Account. In spite of this, I've now unwittingly stored my passwords in the cloud, protected only by the moderately strong Firefox Account password! [1] https://support.mozilla.org/en-US/kb/how-do-i-choose-what-types-information-sync-firefox
(In reply to Botond Ballo [:botond] from comment #0) > This is potentially a security gotcha! Suppose I chose a strong password as > my master password, but only a moderately strong password as my Firefox > Account password, because I didn't intend to store passwords in my Firefox > Account. In spite of this, I've now unwittingly stored my passwords in the > cloud, protected only by the moderately strong Firefox Account password! That's not to mention the security implications of your passwords being stored in plaintext on the target machine, if you fail to notice that a master password wasn't set there.
Rachel, 2 questions: 1) You might recall a year or so ago I sent you some documentation on how Sync and Master Passwords interact, for use as a sumo article - do you recall where that ended up? 2) Are you able to correct https://support.mozilla.org/en-US/kb/how-do-i-choose-what-types-information-sync-firefox so that it no longer mentions that password Sync is disabled when a master password is set - and ideally, link to the article I ask about in (1) Thanks.
Flags: needinfo?(rmcguigan)
Bug 1013064 and bug 927963 have some more commentary on all of this. Bug 973759 also gives some insight into how secure the master-password actually is (not very). The tl;dr is that this is going to end up WONTFIX.
Flags: needinfo?(rmcguigan) → needinfo?(markh)
Sync is working as designed here. See also bug 1311131, which describes how sync and the master password interact.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(markh)
Resolution: --- → WONTFIX
This is definitely a security issue which can be reproduced following way. 1. Synchronize your firefox account in a device no matter how 'master password' is enabled or disabled. 2. After synchronizing your account, now disconnect it. 3. What happened? Nothing. All your bookmarks, logins, history and open tabs are there available for the owner of device, who does not have to know your master password used to create your saved logins but his own master password. Although the account is disconnected from the device, all information registered to device by this account are still there. Definitely it is not secure to use your firefox account in any device which does not belong to you. So, what is the idea having a firefox account if it is not available in any devices but those belong to me? Following quoted from Mark Hummond, which describes how sync and the master password interact, https://bugzilla.mozilla.org/show_bug.cgi?id=1311131 "While Sync does encrypt your passwords on the wire and on the Sync servers, Sync itself does not make any attempt to encrypt them on the device itself - that is the job of the master-password. It is important to note that the master password itself is *not* synced between devices, so it is possible for one device to have a master-password and for another device to have no (or a completely different) master password. This means that the passwords have some protection on the first device, but reduced protection on that second device. It is possible to use a different (or no) master-password between devices because the passwords are always decrypted using that master-password before being handed to Sync for re-encryption and storage." I have to say that this understanding of 'master password' is wrong because firefox account owner has to give the control of his saved logins and other saved informations to the owner of the device by using that device. I think this is a big price to pay in order to access your firefox account in another device. Following the example in the quotation above, the second device with no master password has no protection at all, in fact, makes your synchronized information available to all possible user of the device in the future. a security gotcha! As did Botond Ballo,I have also reported this security issue two years ago. I am surprised why it is not clear yet. I hope this calls the developers attention. all the best
Thanks for your input here. I don't think it will change the outcome of this bug, but it's really interesting and useful feedback. I'm cc'ing Alex and various members of the Lockbox team, because the above comment demonstrates an interesting point w.r.t. mental models of FxA and sync. In the current world, saved logins "belong" to the individual Firefox profile that contains them. That Firefox can choose to encrypt them locally with a master password, and that Firefox can choose to sync them to other Firefoxes via your account, but those are decisions made locally on a profile-by-profile basis. My interpretation of Dnelub's comment is that, in their mental model, the passwords "belong" to the user's Firefox Account rather than to any particular profile that happened to sync them down. From this perspective, the fact that a master password is in use should *also* be a property of the Account rather than of a particular device, and so the current implementation seems broken. Hence: > I have to say that this understanding of 'master password' is wrong Something for us to keep in mind for future plans both for Sync, and for Lockbox. That said, I don't think there's anything short-term we can do to improve the current situation for current sync, and this is indeed working as designed for current sync. > Definitely it is not secure to use your firefox account in any device which does not belong to you. This is 100% correct, yes, syncing data down to a device that does not belong to you will expose that data to the owner of that device. > So, what is the idea having a firefox account if it is not available in any devices but those belong to me? It is precisely to support syncing the data around between devices that you own. I agree that the ability to access your data "transiently" on e.g. a freind's device would be useful, but it's well outside the security model of the current sync system, and it would come with its own interesting set of security considerations.
Hi Ryan, thanks for the observations and support :) I think firefox account owners should be warned to avoid using their account in other's devices. It should be stated very explicitly otherwise it is a serious problem.
See Also: → 1325271
You need to log in before you can comment on or make changes to this bug.