Closed Bug 1928317 Opened 1 year ago Closed 1 year ago

export for mobile - need option to disable this feature

Categories

(Thunderbird :: Preferences, enhancement)

Product:
Thunderbird
Component:
Preferences
Version:
Thunderbird 128
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: a.wass, Unassigned)

References

(
URL
)

Details

(Keywords: doc-bug-filed)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

Steps to reproduce:

I was able to integrate my email profile into Thunderbird for android in 10 seconds. Integrating other people's email profiles into my cell phone would work just as quickly if they leave the workplace briefly and the computer is not locked

Actual results:

the "export for mobile" function is really a big security problem in a corporate environment, as anyone can export their email profile or other peoples email profiles to their own private cell phones. In addition, you can read the passwords with a QR code scanner, as they are in plain text in the QR code

Expected results:

Please make this function deactivatable by administrators so that users cannot use it and cannot change this setting.

See Also: → 1928232

Thanks for your report.

As we currently have a UAC prompt which protects Settings --> Saved Passwords, we're going to implement this same protection for the Export for Mobile tool. Would that satisfy your needs, given that it is similarly accessible?

Flags: needinfo?(a.wass)

for us it would help if the “export for mobile” function could only be executed if windows user is local administrator

1.) we absolutely must prevent users from exporting email accounts to smartphones without administrator rights

2.) we absolutely must prevent users from seeing stored passwords in Thunderbird without administrator rights, which we can already prevent by setting the following line in “C:\Program Files\Mozilla Thunderbird\Thunderbird.cfg”:

lockPref(“pref.privacy.disable_button.view_passwords”, true);

this sets the “Saved Passwords” button to inactive

maybe there is a way to implement also a parameter in this file to set “export for mobile” to inactive or hide it

Flags: needinfo?(a.wass)

it would not help, if this will be implemented in the same way as with Saved Passwords, because after entering the user-password at the UAC the user can still see the stored Thunderbird passwords as plain text

if this will be implemented in such a way that local administrator Credetials are required at UAC login, this would help best

Thanks for the quick feedback!

In addition to implementing the UAC control, we will use "pref.privacy.disable_button.view_passwords" to control the display of the "Include all accounts passwords" option.

will this also be possible for the new feature “export for mobile” in future versions?

Summary: export for mobile - need option for diable this feature → export for mobile - need option to disable this feature

sorry, i missunderstud your last comment. It would be great, if the "Include all accounts passwords" option could be controlled with
"pref.privacy.disable_button.view_passwords".

will this be available in the next Thunderbird Version?

As a small addition, I would like to point out that the checkbox settings from "Include all accounts passwords" are not saved when Thunderbird is closed. Every time thunderbird is opend the checkbox is set

Yes, we have a patch landing soon for "Include all accounts passwords" option being controlled by
"pref.privacy.disable_button.view_passwords" and should be in ESR next week we hope.

The future of this feature is not yet certain as we have Sync on the horizon, so for now the checkbox is stateless.

Hey Guys, great job. Since version 128.4.2 "Include all accounts passwords" is hidden if ("pref.privacy.disable_button.view_passwords", true); is set in C:\Program Files\Mozilla Thunderbird\thunderbird.cfg
This is exactly what we wanted :-)

No problem & thanks for the suggestion. Some of the team weren't aware of this setting and your comment 2 helped us to improve and document this!

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.