Closed Bug 1593580 Opened 6 years ago Closed 6 years ago

Firefox Lockwise doest seems to Authenticate user before showing password

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1261977

People

(Reporter: vigneshwaransivasamy, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

  1. Install Firefox browser
  2. Now create an account in firefox
  3. Save credentials in firefox

Actual results:

Credentials saved can be viewed directly without authenticating the user.

Expected results:

Everytime user wants to see the password, he should be authenticated with master password

This issue may stop users from saving credentials in firefox, as anyone peek into the machine and look into someone else credentials without any problem.

Summary: Firefox Lockwise doest seems to Authenticate user before showing passowd → Firefox Lockwise doest seems to Authenticate user before showing password

Matt, can you help triage? Thanks.

Component: Untriaged → about:logins
Flags: needinfo?(MattN+bmo)

This sounds like a duplicate of bug 1261977 or bug 1194529.

(In reply to vigneshwaransivasamy from comment #0)

Everytime user wants to see the password, he should be authenticated with master password

That is what happens if the user enables Master Password: https://support.mozilla.org/kb/use-master-password-protect-stored-logins

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(MattN+bmo)
Resolution: --- → DUPLICATE

IMO, this bug shouldn't be a dupe after bug 1261977. As I see it, about:logins should offer a basic layer of protection in the lack of a master password. I've seen the OS password being requested in some password managers (don't recall exactly on what OS/browser).

The simplest use case I can think of is that somebody is allowed temporary access my computer - let's say family visiting. It's weird to be concerned that my brother or anyone for that matter could have plain text access in 3 clicks to any of my saved credentials, even though he only has temporary access.

Flags: needinfo?(MattN+bmo)

(In reply to Adrian Florinescu [:adrian_sv] from comment #4)

The simplest use case I can think of is that somebody is allowed temporary access my computer - let's say family visiting. It's weird to be concerned that my brother or anyone for that matter could have plain text access in 3 clicks to any of my saved credentials, even though he only has temporary access.

They'd have that access anyway if they wanted to; they could copy the files off disk with a usb stick they brought, etc. etc.

The situation you describe is what the "guest" account on the OS was designed for.

While comment 5 statement is totally correct, it's also unrealistic - it would require the "attacker" to have minimal knowledge about profiles and password manager. Therefore, I feel that the approach to the problem is that if there's intent and premeditation, there's nothing can be currently done, so we either do bug 1261977 or do nothing. But the point I was trying to make is that it is way too easy to access the user's credentials on a default setup.

(In reply to Adrian Florinescu [:adrian_sv] from comment #4)

IMO, this bug shouldn't be a dupe after bug 1261977. As I see it, about:logins should offer a basic layer of protection in the lack of a master password. I've seen the OS password being requested in some password managers (don't recall exactly on what OS/browser).

Chrome does this and bug 1194529 is on file for that.

Flags: needinfo?(MattN+bmo)
You need to log in before you can comment on or make changes to this bug.