Closed Bug 1633591 Opened 5 years ago Closed 5 years ago

Logins and passwords are available in Lockwise after logging out (even in private mode)

Categories

(Firefox :: Sync, defect)

Product:
Firefox
Component:
Sync
Version:
75 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1600210

People

(Reporter: pavel.v.trufanov, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

I logged in to my Firefox account on a computer in the University library to use Lockwise as a password manager and work with some web services like email, google docs, etc. It is important to note that I was working in private mode.

Actual results:

After I finished working, I signed out of my Firefox account, but all passwords and usernames remained available on the computer for all people who visit the "about:logins" page. Moreover, all passwords could be obtained in plain text by clicking the show password button. So Firefox just saved all my passwords locally and all they remained available after I logged out.
In addition, Lockwise also saved the password from my Firefox account, so that with physical access to the computer, anyone could get full access to my account.
Here is a video demonstrating the problem:
https://drive.google.com/open?id=1iZlW5gbIzwYFQ6UuI47YA5--ncX2XoLG

Expected results:

I expected sensitive information like passwords to be deleted from the computer when I log out of my account.
As I realized later, Firefox sync is designed so that data is stored simultaneously on multiple user devices and is not deleted automatically. In this case, I would expect that access to passwords saved on the computer would be blocked, and access would require logging in to the account again.
The danger of Lockwise working this way is that if you realize that you have left all your passwords available to the next person who uses your computer too late, there is no way you can remotely block access to your data. You need to get physical access to your computer again or change all your passwords from all sites!

Group: firefox-core-security
Component: Untriaged → Sync
Keywords: dupeme

Thanks for the report. This is currently by-design (no local data is removed from Firefox when signing out) but we do recognize that this might be surprising and desired by a number of users, so we are tracking this over in bug 1600210.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.