Closed
Bug 1409339
Opened 7 years ago
Closed 7 years ago
Password saved in plain text / unencrypted
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 352692
People
(Reporter: lucas.boncoin, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 Steps to reproduce: I'm a young security reseacher and I've found a vulnerability into Thunderbird security system. I would report it but I don't know where I have to report new vulnerabilities. Here it's only for "bugs" Actual results: I could get access all passwords stored for a user Expected results: Normally I couldn't do that if the system block me correctly
|
||
Comment 1•7 years ago
|
||
You would report it here, in this bug report. But you should consider there are many reports of issues that are not valid, such as - https://bugzilla.mozilla.org/buglist.cgi?f1=short_desc&list_id=13834611&short_desc=password&bug_severity=blocker&bug_severity=critical&bug_severity=major&bug_severity=normal&o1=nowordssubstr&resolution=INVALID&resolution=WONTFIX&query_format=advanced&short_desc_type=allwordssubstr&v1=ask%20receiv%20new%20prompt%20login%20gmail&product=MailNews%20Core&product=Thunderbird - https://bugzilla.mozilla.org/buglist.cgi?list_id=13834657&bug_severity=blocker&bug_severity=critical&bug_severity=major&bug_severity=normal&o1=nowordssubstr&short_desc_type=allwordssubstr&v1=ask%20receiv%20new%20prompt%20login%20gmail&longdesc_type=anywordssubstr&f1=short_desc&short_desc=password&resolution=INVALID&resolution=WONTFIX&resolution=DUPLICATE&query_format=advanced&longdesc=vuln%20protect&product=MailNews%20Core&product=Thunderbird notable example: Bug 580589 - Master password: no possibility to hide passwords from user
|
||
Updated•7 years ago
|
Flags: needinfo?(lucas.boncoin)
|
Reporter | |
Comment 2•7 years ago
|
||
Dear Security team, Sorry for the delay, but the bug it is not located into Thunderbird, but in Mozilla directly, I found this during my Master degree during a forensic investigation. I will explain : If I use a crafted way to access another computer (like metasploit, windows ActiveX or any other dirty way to get a reverse shell) I could access to the different folders of the computer. The problem is you have kindly explain the location of these usefull files in your support part. I'm talking about "key3.db" and "logins.json". Of course I found that those files are encrypted in TripleDES in CBC mode but it doesn't matter. The "vulnerability" here is that if I recover those files and even if they are encrypted there is no security if I would import them into my own computer and into my own Mozilla browser. After the import done I could easily get access to the "show password" feature and Bingo all the passwords are shown. So, I know that first of all it is not your problem if someone get access into a server or a personal computer. But when some personal information like Mozilla password have been stolen. You should have a look to protect that. We can imagine a Company Cyber-attack and not necessary a personal computer attack of someone we did not know. By the way it is not complicated to avoid that.The files are encrypted but the way to import them is not secure. The way to secure that is to protect the import by a nonce/id (a unique signature) of the computer who use the first time the "store password" feature. Remember, when you propose to your users a way to recover their password, you don't get back the password in clear-text, you send back a email with a token to re-create it. That's what I would say, here everybody can re-use both files and it is not a good security work-around to protect the user-password. I stay available to know if you would more information. Thank you for your time I hope to help you We work in the same field, protection is the same target...
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(lucas.boncoin)
Summary: Found a Vulnerability into Thunderbird, I want to report it → Found a Vulnerability into Mozilla, I want to report it
|
|
||
Comment 3•7 years ago
|
||
It is a known issue that passwords are unencrypted by default (or effectively so: encrypted with a default password of "" to simplify the client code). Users can create a "master password" in settings which does then encrypt the passwords. See bug 352692 for the same discussion in Firefox about whether we should proactively inform users about this feature. The master password, however, only encrypts your _passwords_ and not your mail files. If it's enabled the default startup behavior of checking the server for new mail often triggers the master password prompt to unlock the server password, and this behavior misleads many people to believe that they are unlocking their _mail_, leading to a false sense of security. That request is bug 35308, but seems unlikely to happen when OS accounts and file encryption already do a more thorough job than we can (see also bug 16489).
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Summary: Found a Vulnerability into Mozilla, I want to report it → Password saved in plain text / unencrypted
You need to log in
before you can comment on or make changes to this bug.
Description
•