Closed Bug 1664749 Opened 5 years ago Closed 5 years ago

Password and login information can be viewed by another user who uses another device application.

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1342943

People

(Reporter: amolhokarne597, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

20200913_171115.mp4
3.46 MB, video/mp4
Details

Description:
In Mozilla firefox browser, when user login in into some websites user can save login information and password . User can use this information for again login easily or sometimes forget the information(username and password). But when someone other second user use the device of first user ,this second user can view and change login information and password in menu>>login and passwords

steps:
1.open browser >>open menu
2.click on login and passwords
3.another user can view and edit information for login

Impact:
1.when first user login with his login information ,website can display it as incorrect because another user have already edited the information or can takeover account of particular website.
2.First user can reset their password for login again into website, but some websites have inappropriate function or wasting of time.not that as much easy as simply login with login with login information. User can stop using browser

Solution: Add extra layer of security for viewing and editing login information.

It can be security recommendation which can be fix in firefox latest version

Thanks.

Flags: sec-bounty?
Attached video 20200913_171115.mp4

Sam, can you help triage this? Thanks.

Type: task → defect
Component: Security → Password Manager
Flags: needinfo?(sfoster)
Product: Firefox → Toolkit

Is it triaged?

(In reply to Amol hokarne from comment #0)

steps:
1.open browser >>open menu
2.click on login and passwords
3.another user can view and edit information for login

This is the scenario which [https://support.mozilla.org/en-US/kb/use-primary-password-protect-stored-logins-and-pas](Primary Password) is designed for. Users have always had the ability to view and edit their own passwords (or the passwords of the profile they are using, if that was left unsecured) and while we take some measures to prevent the most casual snooping of passwords, if a profile is going to be shared, Primary Password should be used, or logins should not be saved at all.

I'll dupe to bug 1342943, as I think your expectation was that by default there would be some auth challenge to viewing what are ostensibly your own logins.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(sfoster)
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Group: firefox-core-security
Flags: sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: