Open
Bug 1485112
Opened 7 years ago
Updated 1 month ago
Setting a master password doesn't take effect until a restart as the user is already "logged in"
Categories
(Toolkit :: Password Manager, defect, P3)
Toolkit
Password Manager
Tracking
()
NEW
People
(Reporter: adavis, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [passwords:master-password] [passwords:primary-password])
Filing this bug after seeing this:
https://old.reddit.com/r/firefox/comments/991lxs/security_flaw_with_password_manager/
Apparently, if you dismiss the master password box on forms, it will still populate your password on the site.
I quote from Reddit:
>Having stored my passwords and then having a master password set, if you go onto >a site that has a stored password (But not logged in) the site fields become >populated and then the master password box appears. If you click cancel then >quickly press login on the site itself it will let you log in WITHOUT using the >master password. After you have logged in the master password box comes up again >but you just cancel it.
>
>Therefore you can log into ANY website without ever needing the master password >so long as the site credentials have been previously stored.
>
>This makes the master password null and void as it does nothing.
>
>Am I doing somthing wrong here or overlooking somthing?
|
||
Updated•7 years ago
|
Component: General → Password Manager
Product: Firefox → Toolkit
Whiteboard: [passwords:master-password]
|
|
||
Comment 1•7 years ago
|
||
The user claimed they filed a bug report but maybe it was a SUMO question instead as I can't find it.
The problem went away for the user and was also using Lastpass so I suspect it was one of two things:
1) Lastpass was filling in the login (perhaps it wasn't properly tore down upon disabling).
2) The user just enabled or changed a master password but didn't restart the browser. I'm not sure that we fully cleanup any already decrypted data when setting a password.
If anyone can reproduce this then mark the bug as NEW. I can't reproduce this and it seems unlikely given that the username and password field are encrypted with the master password.
Status: NEW → UNCONFIRMED
Ever confirmed: false
Priority: -- → P3
|
|
||
Comment 2•7 years ago
|
||
The user confirmed on Reddit[1] that they didn't restart Firefox between setting a MP and seeing the bug so this is a case of (2). I can repro the bug but it's an edge case with temporary symptoms and I don't think this needs to be kept hidden.
One could argue that it's working as intended as the user just set the password in that session and we only need one login per session so it would be kinda pointless from a security perspective to ask the user to login again on the website 5 seconds later.
Some options:
* Make it clear that the Master Password doesn't take full effect until a Fx restart
* Force a logout of MP after setting or changing a password in chamgemp.js.
** As I said above it's kinda pointless other than in the scenario where a user wants to test out MP immediately after setting it. It could be useful for a case where the prompt to enter the MP is much later than the set/change action.
[1] https://www.reddit.com/r/firefox/comments/991lxs/security_flaw_with_password_manager/e4layao/
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: If Master Password is not entered, Firefox will still populate password fields → Setting a master password doesn't take effect until a restart as the user is already "logged in"
|
||
Updated•4 years ago
|
Whiteboard: [passwords:master-password] → [passwords:master-password] [passwords:primary-password]
|
||
Updated•4 years ago
|
Blocks: primary-password
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•1 month ago
|
Blocks: masterpassword
|
|
||
Updated•1 month ago
|
No longer blocks: masterpassword
You need to log in
before you can comment on or make changes to this bug.
Description
•