Closed Bug 1580203 Opened 5 years ago Closed 5 years ago

Prefilled password can be read from data-initial-value

Categories

(Toolkit :: Password Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: jhorak, Unassigned)

Details

We have a report from user which I'm unsure if everything is okay:


I am using 68.0.2 on F30 and I still see something I am not sure is correct.

What I am seeing is:

  1. Set Master password
  2. Go go Gmail, enter Gmail password and add account and password to Master, when prompted.
  3. Logout of Gmail and close browser.
  4. Open Firefox, load Gmail and I am asked for Master before I can get to Gmail.
  5. Logout of Gmail and don't close browser.
  6. Log into Gmail and without prompting from entering Master password I can see and copy the existing password from Gmail.

It seems like closing the browser is the gating factor. I only have Gmail added to the Master.


Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1745687

Since I can lookup the password on Gmail login page as the data-initial-value attribute of the input element it's more like a feature to me but I'd rather double check it.

This is working as expected. The master password feature is used to encrypt the data in the login store. The first time you access a record we will prompt the user for the master password to decrypt the store for that session. We also prompt any time a password will be revealed as plain-text, such as in the management UI. We don't repeatedly prompt for the master password with each successive use during that session. Closing the browser ends the session.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

Btw. Master Password lifetime lasting for the session is documented on our support page at https://support.mozilla.org/kb/use-master-password-protect-stored-logins

Note: After you've set a master password, it needs to be entered the first time you remember a new password or remove passwords and each time you show your passwords, for each Firefox session.

(Though it doesn't explicitly mention that the first time we fill the login is another case where we could ask if we haven't already asked to unlock).

(In reply to Sam Foster [:sfoster] (he/him) from comment #1)

This is working as expected. The master password feature is used to encrypt the data in the login store. The first time you access a record we will prompt the user for the master password to decrypt the store for that session. We also prompt any time a password will be revealed as plain-text, such as in the management UI. We don't repeatedly prompt for the master password with each successive use during that session. Closing the browser ends the session.

I am testing firefox-69.0-2.fc30.x86_64, currently. I understand how the Master Password is supposed to work by encrypting the saved logins. I just want a clarification for something I am seeing.

I am in a Firefox "Session window" and have my Master Password entered and I access my email by entering the Master Password that lets me access my saved passwords. I am happy and have email.

Once I use the Master Password, I can log out of Gmail, not close the session window and get back in within the "Session" and have to problem accessing email. If I log out and close the window, I then will be prompted for the Master Password every time.

What I am seeing, if I open the initial browser, enter my Master Password, get email then open a NEW Firefox window for something else (Right click the FF icon and Open New Window), log out of the first from Gmail and close the first browser, the new browser still has the information to view the Gmail password and not require a Master Password. If you think the new browser is part of the same session, I am good and the Master Password seems to be in pretty good shape. If not, let me know if you want me to file a bug.

I am using F30 and cinnamon-4.2.3-2.fc30.x86_64.

(In reply to Bill Sanford from comment #3)

What I am seeing, if I open the initial browser, enter my Master Password, get email then open a NEW Firefox window for something else (Right click the FF icon and Open New Window), log out of the first from Gmail and close the first browser, the new browser still has the information to view the Gmail password and not require a Master Password. If you think the new browser is part of the same session, I am good and the Master Password seems to be in pretty good shape. If not, let me know if you want me to file a bug.

Yeah that's exactly right. A "session" is not a single window, it is activity in all (non-private) windows from when you launch Firefox to when you close it or the last window.

You need to log in before you can comment on or make changes to this bug.