Closed Bug 1906831 Opened 2 months ago Closed 17 days ago

Saved Passwords not protected by fingerprint if left open when you close phone or switch to another app

Categories

(Fenix :: Logins, defect)

Product:
Fenix
Component:
Logins
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1904652

People

(Reporter: YouGina, Assigned: avirvara)

References

(Regression)

Details

(4 keywords, Whiteboard: [client-bounty-form])

Attachments

(1 file)

New passwords menu item.jpg
147.54 KB, image/jpeg
Details

Summary

Until recently when I wanted to access passwords I would go to click the 3 dots next to the address bar, go to settings, then passwords, and then "Saved passwords". At this point you will have to authenticate and then the passwords will be shown. After this, if you leave the screen open, and android will auto-lock your phone, you will have to re-authenticate after you open your phone again.

Now I noticed there is a new option "Passwords" directly when you click the 3 dots next to the address bar. When opening here, you still have to authenticate before the passwords will be shown. The problem is however that when you lock your phone, or when it locks automatically, the passwords view will not be locked. After unlocking the phone the last accessed password is still visible and you can also still access any of the other passwords.

Steps to reproduce

  • Open the passwords via the new "passwords" menu item, directly after clicking the 3 dots next to the address bar in the bottom of the screen
  • Authenticate when asked for it
  • Open any account and display the password
  • Lock the phone
  • Reopen the phone
  • Note that the password is still visible

Impact

The difference in behavior made me decide to report. While in most cases you will still need to authenticate to the phone it is at least concerning that any passwords you had displayed before are now still visible on the screen.

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → Logins
Product: Firefox → Fenix

I noticed that too -- confirming

Status: UNCONFIRMED → NEW
Ever confirmed: true

Also it should re-ask for the password if you switch apps and then switch back.

going to unhide this because it's not a remote "attack", and if public maybe some people can protect themselves (by making sure they exit that screen right away)

Group: mobile-core-security
Severity: -- → S3
Keywords: privacy, regression, sec-moderate

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox130: --- → affected
Summary: Firefox for Android - New quick-access menu item "passwords" behaves different then old one under settings → Saved Passwords not protected by fingerprint if left open when you close phone or switch to another app

The new Passwords menu item was added in Fx 127 by bug 1887600.

status-firefox128: --- → affected
status-firefox129: --- → affected
Regressed by: 1887600

:avirvara, since you are the author of the regressor, bug 1887600, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(avirvara)

Alexandra, do you know why the password manager’s unlock security would work differently when the password manager is opened from the three dot menu’s Passwords menu item (bug 1887600) than from the Settings menu’s Passwords menu item?

Assignee: nobody → avirvara
Flags: needinfo?(avirvara)

yes, this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1904652. There is a work in progress patch for it.

Status: NEW → RESOLVED
Closed: 17 days ago
Duplicate of bug: 1904652
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: