Closed Bug 1729161 Opened 4 years ago Closed 4 years ago

Saved password disclosure in mozilla firefox browser

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gautammujjwal, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

mozilla fire fox version - 91.0.2 (64-bit)

Reproduction steps

  1. Click on 3 horizontal bar on the top right.
  2. Click on passwords.
  3. Click on "show password icon" beside copy button in the password field.
Flags: sec-bounty?

What is the attack scenario?

My friend using my laptop for short time, can view all my saved password without having to enter the computer password which is a very sensitive issue as all saved password will be disclosed.

What is impact?

UserB using the laptop of UserA for very short time gets access to all the saved password of the system in firefox browser. This is very sensitive issue.

What is the fix to this vulnerability?

When clicked on "Show password" icon, browsers like google chrome and microsoft edge asks to enter the laptop password before displaying the password. This is the fix to this sensitive vulnerabilty.

What you are describing is known and intended behavior. We recommend people who use shared devices to lock their accounts and use individual system accounts for each individual user.
If you further want to protect your passwords, you can encrypt and lock them using a Primary Password.

Thank you for reporting this bug to us, it will be ineligible for a bug bounty. If you want to know more, there are numerous duplicates filed for this finding.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WONTFIX
Group: websites-security
Type: task → defect
Component: Other → Password Manager
Product: Websites → Toolkit
You need to log in before you can comment on or make changes to this bug.