Closed Bug 1595097 Opened 5 years ago Closed 5 years ago

Master password bypass

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1584126

People

(Reporter: u650761, Unassigned)

References

(
URL
)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

In firefox 70.0.1 64 bit (Windows 10), when a master password is set and the user has entered the password during the current session, in the about:logins page you can see all the credentials the user has saved, but you have to enter the master password again to see the saved passwords in plaintext.

If you inspect the website you can change the type from password to text, which will show you the stored password in plaintext without the need of the master password.

This vulnerability allows a malicious actor that has phisical access to the computer of an user to steal all of it's credentials, skipping the master password function.

Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.