Last Comment Bug 217625 - POP3 passwords are stored in Password Manager although forbidden
: POP3 passwords are stored in Password Manager although forbidden
Product: MailNews Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows 2000
-- critical (vote)
: ---
Assigned To: David :Bienvenu
: John Unruh
Depends on:
  Show dependency treegraph
Reported: 2003-08-28 10:26 PDT by Karsten Düsterloh
Modified: 2008-07-31 01:24 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

proposed fix (1.40 KB, patch)
2003-08-28 15:14 PDT, David :Bienvenu
sspitzer: review+
sspitzer: approval1.5+
Details | Diff | Splinter Review

Description User image Karsten Düsterloh 2003-08-28 10:26:55 PDT
Mozilla 1.5b release:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827

Steps to reproduce:
- add new POP3 account that needs username/password
- try to get new mail: MailNews asks for the password
- enter password (but do *not* mark the checkbox for saving!)
- open Password Manager: an entry for this account has been added!

Furthermore, everytime you hit CTRL-T etc. to check for new mail, another
identical entry is added to the PM.

After closing Mozilla and starting up again, the entries are still visible in
the PM, but getting mail requires re-entering the password. 
This means, that Mozilla is even *claiming* to not having the password stored,
but does otherwise!

Marking as security problem.
Comment 1 User image Karsten Düsterloh 2003-08-28 10:35:54 PDT
I forgot to mention:
This does not occur with news or imap server requiring authentification!
Comment 2 User image chris hofmann 2003-08-28 14:11:30 PDT
adding mscott and bienvenu
Comment 3 User image David :Bienvenu 2003-08-28 14:40:43 PDT
taking, I'm sure that's my fault
Comment 4 User image David :Bienvenu 2003-08-28 15:14:25 PDT
Created attachment 130563 [details] [diff] [review]
proposed fix

we only need to store the password if we're password protecting the local cache
- otherwise, the password mgr/prompter handles this.
Comment 5 User image (not reading, please use instead) 2003-08-28 15:16:01 PDT
Comment on attachment 130563 [details] [diff] [review]
proposed fix

Comment 6 User image David :Bienvenu 2003-08-28 18:13:51 PDT
Comment 7 User image Christopher Aillon (sabbatical, not receiving bugmail) 2003-11-24 07:30:23 PST
Comment 8 User image David Epstein 2004-06-11 14:48:28 PDT
Verified with 1.7 RC3 Gecko/20040608. not appearing in the psswd mgr.

Note You need to log in before you can comment on or make changes to this bug.