Mozilla 1.5b release:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827
Steps to reproduce:
- add new POP3 account that needs username/password
- try to get new mail: MailNews asks for the password
- enter password (but do *not* mark the checkbox for saving!)
- open Password Manager: an entry for this account has been added!
Furthermore, everytime you hit CTRL-T etc. to check for new mail, another
identical entry is added to the PM.
After closing Mozilla and starting up again, the entries are still visible in
the PM, but getting mail requires re-entering the password.
This means, that Mozilla is even *claiming* to not having the password stored,
but does otherwise!
Marking as security problem.
I forgot to mention:
This does not occur with news or imap server requiring authentification!
adding mscott and bienvenu
taking, I'm sure that's my fault
Created attachment 130563 [details] [diff] [review]
we only need to store the password if we're password protecting the local cache
- otherwise, the password mgr/prompter handles this.
Comment on attachment 130563 [details] [diff] [review]
Verified with 1.7 RC3 Gecko/20040608. not appearing in the psswd mgr.