Closed Bug 1757510 Opened 4 years ago Closed 2 years ago

User Personal information has no protection

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 97
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1403081

People

(Reporter: pernishshukla7, Unassigned)

Details

Attachments

(1 file)

bandicam 2022-03-01 11-42-25-269.mp4
3.16 MB, video/mp4
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36

Steps to reproduce:

Step to Reproduce

  1. Open Firefox
  2. Go to Setting
  3. Search for Password
  4. Go to Saved password
  5. You will find there is no password protection to view password

Actual results:

Because of this attacker can access every account password and email and takeover the account. For example: User forget to shutdown pc. As an attacker i can access everything related to victim through it

Expected results:

Attacker can access user personal detail eg: email & password, Because there is no password protection

Summary: Privacy → User Personal information has no protection

Pernish, thank you for filing this bug. You can setup Primary Password to add extra protection to saved logins.

It's worth to note that if attacker can get access to unlocked OS user account, they can install a keylogger, steal data and cause a lot of trouble. Securing OS account is the most important step to protect personal information.

Group: firefox-core-security

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Is this report closed?

(In reply to Pernish Shukla from comment #3)

Is this report closed?

Not yet, I'd like to discuss it with the team on our next meeting first and probably link it to bug 1261977.

The protection exists, but it's an opt-in and users might not be aware that they can set their Primary Password.

Yeah may be protection exist, but as it contains sensitive information. Password protection should make compulsory to all user. It shouldn't be optional. Because as normal user they only browse and they are unknown about it. None of us will search for primary password. For bug hunters, firefox is top priority browser. Even i didn't know that here isn't password protection. When i navigated to saved password in order to see my saved password, i noticed that there isn't password protection. For example, while using edge,chrome, brave etc browser. They have password protection it's not optional So browser shouldn't make password protection as optional. Hope you got it

Yep, that's exactly why we aren't closing this bug right away - we need to think of promoting protections.

Severity: -- → S3
Priority: -- → P3
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1403081
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: