Closed
Bug 252080
Opened 21 years ago
Closed 20 years ago
Anyone near my computer can see my passwords in five clicks.
Categories
(Thunderbird :: Account Manager, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 259996
People
(Reporter: bwill100, Assigned: mscott)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Bug #233410 makes this problem much worse--but it isn't the same thing.
There is a button in thunderbird that would allow anyone knowledgeable about the
program to view another user's password. No warning about it during install so
the average user wouldn't realize how naked his information was.
This may not be important for single people with no visitors who always log onto
their computer with a password but it is CRITICAL to anyone who uses a computer
in an office or might not want some visitor to his house to go home with all of
the information necessary to steal his e-mail identity and use it on another
computer.
Tools>Options>Advanced>Manage Passwords>Show Passwords.
This is not so much a bug as design flaw--and should be considered an emergency
since some people equate "e-mail client" with at least a minimum level of
security. This design will not even keep the honest people out.
Reproducible: Always
Steps to Reproduce:
1.Walk up to unattende computer
2.Click tools
3.Click Options
4.Clikc Advanced
5.Click Manage Stored Passwords
6. Click Show Passwords
7. write down visible un-masked information
8. Return home and enter into e-mail client of your choice
9. Send pornographic e-mail to boss, spouse, law-enforcement or 10,000 internet
users--from the poor guy who's computer you had access to for 10 seconds.
Actual Results:
This is easy to find and understand--I just hope someone can see it for the
serious problem it is.
Expected Results:
There should be no way to view an unmasked password unless the user has typed in
the Master Password only seconds before. Even if this is allowed to happen--the
masks should reappear or the form should close and reset within a matter of a
minute or so.
I attempted to set a master password (see bug 233410) with no success. But
simply setting a master password will not solve this if another user could
access this info while you were in the restroom--without having to enter the
master password himself.
I am checking keep this problem confidential until it's fixed but I really don't
think you should unless you can fix this in 24 hours or less--it's too serious.
If it's going to take longer--users need to be notified.
|
||
Comment 1•21 years ago
|
||
> But
> simply setting a master password will not solve this if another user could
> access this info while you were in the restroom--without having to enter the
> master password himself.
"show passwords" will always ask for the master password, if one is set.
bug 78754 added this feature
|
||
Comment 2•21 years ago
|
||
The "Show passwords" button was added to Firefox in bug 239241.
I agree that we shouldn't have a built-in feature to view passwords. It's
tempting to abuse and it's not worth making Mozilla products *look* less secure
than their competitors. (Someone who knows what they're doing can use access to
your computer to steal passwords in other ways: install a keylogger, use the
"view passwords" bookmarklet, copy your entire profile, etc.)
|
|
||
Updated•21 years ago
|
Group: security
|
|
||
Comment 3•20 years ago
|
||
*** This bug has been marked as a duplicate of 259996 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•