Closed Bug 1343944 Opened 7 years ago Closed 7 years ago

Firefox credential autofill displays my password (plain text) to anyone with access to my computer.

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: zachary_fields, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170201180315

Steps to reproduce:

When I navigate to a website (i.e. gmail.com).
Firefox offered to inject my profile (i.e. username and password) at the login page.
I clicked the show password checkbox.


Actual results:

I can see my* username and password in plain text.

*my = the owner of the computer


Expected results:

The "show password" checkbox should only be available when a user physically enters the password (so they can check their typing).

Otherwise, any person with access to the user's computer can navigate to any popular website login page, write down the credentials and log in at their leisure.

To go a step further, it would also be nice if Firefox had a profile with a master password (think KeePassX), to ensure that it is actually me who is navigating to web pages before injecting my passwords.
Firefox does have a master password, but once unlocked it's unlocked. There's also an add-on that times out the master password if you're paranoid about that (I use it). A request for a "profile password" is a duplicate request, but we've always decided to come down on the side of using the OS account features because the files themselves are otherwise unprotected. That's why they offer "Guest" logins now.
Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
@Dan I think you got caught up in a suggestion and missed the description of the bug entirely.

To reiterate, Firefox shows stored passwords in plain text for any website to anyone at the keyboard.
(In reply to zachary_fields from comment #2)
> @Dan I think you got caught up in a suggestion and missed the description of
> the bug entirely.

I don't think he did:

> To reiterate, Firefox shows stored passwords in plain text for any website
> to anyone at the keyboard

… only if there is no master password enabled.

(In reply to zachary_fields from comment #0)
> I clicked the show password checkbox.

Can you provide a screenshot of said checkbox? Do you mean one provided by the website? The ways to view passwords in plaintext in Firefox UI should all respect the master password but it sounds like you didn't realize that we had a master password feature already?
It's the stored password dialog box. Anytime you enter or update a password it pops-up. I can't reproduce the bug now, but it appeared without me updating or entering a password. I was able to click the "Show Password" checkbox, and see the store password in plain text. When I press the screen shot key, the dialog box disappears, but surely you know what I'm talking about. You can close this bug for now, and I'll reopen it when I get it to happen again.
OK, it sounds like you're talking about Firefox's doorhanger prompt asking to remember/update a saved password.

I confirmed that that checkbox doesn't appear if you have a Master Password (I remember that getting implemented) so the solution of enabling a master password (that Dan and I suggested) still stands.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
If you do see a case where that prompt appears when it shouldn't then I'm interested in that if you have clear steps to reproduce on a specific site. You can file it in Toolkit::Password Manager:Site Compatibility.
You need to log in before you can comment on or make changes to this bug.