Closed Bug 1828002 Opened 3 years ago Closed 2 years ago

Primary / master password is not asked when it's enabled but somebody right-clicks on a password field and... sees the password

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 112
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: kubry, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0

Steps to reproduce:

  • Enable a primary / master password .
  • Right-click on a password field.

Actual results:

  • The password can be revealed.

Expected results:

  • Primary / master password should be asked (like it happens when somebody goes to Firefox settings and tries to see passwords there).

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)

I just tested this defect (Version 117.0.1, 64-bit) and can confirm the behavior.
I suggest a severity of S4 or (since this is security relevant) sec-low.

Primary Password protects data stored on disk, but it doesn't directly relate to regular password input on the web.

We could ask Primary Password for any "Reveal Password" attempt, but that would not stop from opening devtools and reading value from the input. Or from injecting a script to read that value. Since it would not protect web inputs for real, I'm inclined to close this bug as wontfix. There might be some value in implementing Bug 1403081 for "Reveal Password", but it will not stop users from going devtools.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(sgalich)
Resolution: --- → WONTFIX

Mmm.... if you go to the settings, to "logins and passwords", and try to reveal a password for a website... you are asked for the master password. Why, when an attacker can just go to the website and reveal the password? 🤔

Ganton,

"Settings > Logins and Passwords" reads passwords from disk. To decrypt data from disk it needs Primary Password.
Going to some website does not reveal password there without user typing that password first.

There can be a few nuances, I'm happy to talk about it if you have specific website or some screenshots (without actual personal information).

(In reply to Sergey Galich [:serg] from comment #6)

[...] There can be a few nuances, I'm happy to talk about it if you have specific website or some screenshots (without actual personal information).

Thanks! Would you like to answer the question of my last comment?
I can change it in order to try to ease this matter: "Mmm.... after you have opened Firefox, you have been asked for the master password and you have typed it: if you go to the settings, to "logins and passwords", and try to reveal a password for a website... you are asked (again) for the master password. Why are you asked (again) for the master password?"

(If you are asked (again) for the master password because Firefox "thinks" that you may be an attacker... with the latest changes that have been made to Firefox, you (as an attacker) can just go to the website and reveal the password).

Thanks for your interest!

You need to log in before you can comment on or make changes to this bug.