Remove stored password after the account is deleted.

RESOLVED FIXED in Thunderbird 36.0

Status

MailNews Core
Account Manager
RESOLVED FIXED
14 years ago
2 years ago

People

(Reporter: Baruch Ben-David, Assigned: Javi Rueda)

Tracking

Trunk
Thunderbird 36.0
Bug Flags:
blocking-aviary1.0 -

Thunderbird Tracking Flags

(thunderbird36 fixed)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.52  [en]
Build Identifier: 

I created an e-mail account in Thunderbird, and stored the password.  I then 
deleted the account.  

Later on I made changes to the POP3 server, including changing the password on 
the server.

When I tried to re-create the account in Thunderbird, I got a message telling me 
the password was incorrect.

Thunderbird had retained the old password, even though I had deleted that 
account from Thunderbird.  This is inconvenient, but more importantly, it has 
security issues.

Reproducible: Always
Steps to Reproduce:
1.Create an e-mail account.
2.Save its password, using Password Mansger.
3.Delete the account.
4.Recreate the account.
5.The password will still be there.

Actual Results:  
As described above.

Expected Results:  
IMNSHO, it should have automatically deleted the password, both for convenience, 
and to reduce security risk.

Comment 1

14 years ago
I can confirm this behaviour, although I lack the bugzilla authority to actually
mark the bug as confirmed.
Flags: blocking-aviary1.0?

Comment 2

14 years ago
not a 1.0 blocker
Flags: blocking-aviary1.0? → blocking-aviary1.0-

Comment 3

14 years ago
(In reply to comment #2)
> not a 1.0 blocker

i can confirm the bug and it's really ugly. i can't use a given account with 
thunderbird since release 0.7(!) and i'm waiting 'til this is solved - my only 
chance to use this account with thunderbird!

would you at least describe a user-workaround (deleting a file? maybe how to 
wipe _all_ passwords or something) - it's really frustrating to see my account 
in thunderbird but being unable to use it, just getting "unable to connect to 
[hostname]" - acts like microsoft-software ;-) just kidding..

at least confirm this one and provide a workaround for long-time users.. it's 
really annoying..


Comment 4

14 years ago
by the way, i'm using 1.0 on win2k right now, just downloaded 1.0 today in the 
hope this one got fixed.. 

Comment 5

14 years ago
there's a simple workaround - you can go into the password manager and delete
the passwords yourself. Tools | options | advanced | view saved passwords

Comment 6

13 years ago
I have Thunderbird version 1.0.2 on Fedora Core 3 and was very surprised that
after about 4 months after removing the account and then recreating it that I
did not get the password prompt. Scary. It took me a while to think to look at
Preferences/Advanced and seeing that Thunderbird shares the password file with
Firefox. 

I then used the Master Password feature to encrypt the passwords in TB. I can
still read the passwords from Firefox.

Is this a bug? Or a security issue in both FF and TB?

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: general

Updated

10 years ago
Assignee: mscott → nobody

Comment 8

10 years ago
This bug still exists in 2.0.0.16 - I think its pretty important that this gets fixed.
(Reporter)

Comment 9

10 years ago
This bug is part of a much more serious problem with security that is deliberately built into Thunderbird.  Using the password management feature of Thunderbird, it is a simple matter to view your passwords in cleartext.  That is a serious and unacceptable security risk, but the behavior is offered as a "feature".

Since Thunderbird is designed to allow anyone with access to the computer to view the passwords to your active accounts in cleartext, I don't think there will be any effort to prevent people from getting at passwords to inactive, supposedly deleted accounts.

Thunderbird security is broken by design.

Comment 10

10 years ago
The problem I have with this bug compared to the ability to view your passwords in cleartext is that when you delete an account, you expect that the passwords are no longer available. At least with the "save password" feature you are aware that the password is saved somewhere, and consequently viewable. 

The problem with this is that, if you delete an account, the password hangs around. If someone was to later readd that account, they would not require a password to access it. The delete account feature gives a false sense of security given that it does not actually delete everything related to that acount.
(Reporter)

Comment 11

10 years ago
(In reply to comment #10)
> The problem I have with this bug compared to the ability to view your passwords
> in cleartext is that when you delete an account, you expect that the passwords
> are no longer available. At least with the "save password" feature you are
> aware that the password is saved somewhere, and consequently viewable. 
> 

I see your point and I sympathize with it.  That's why I originally reported this four years ago.  Unfortunately, given the low priority security has with Thunderbird, I am not convinced anyone will consider this bug important enough to fix it.

Comment 12

9 years ago
can you reproduce using version 3 beta?

If you do, please see the problem comment.
If you do not, please close the bug with resolution WORKSFORME (or some
appropriate resolution, but not FIXED)

** Beta 2 has fixes Bug 239131 Thunderbird should use the new password
manager, which includes numerous improvements
http://www.mozillamessaging.com/en-US/thunderbird/early_releases/
(suggest you backup your profile before using beta release)
Component: General → Security
QA Contact: general → thunderbird

Updated

6 years ago
Duplicate of this bug: 554738
(Assignee)

Updated

4 years ago
OS: Windows XP → All
Hardware: x86 → All
Summary: Stored password are retained after the account is deleted. → Remove stored password after the account is deleted.
(Assignee)

Comment 14

4 years ago
Created attachment 8493185 [details] [diff] [review]
Removes the password information when account is deleted

Modified function was reviewed previously by Ian. ;mconley has been also a reviewer, but his patches-to-be-reviewed queue seems to be really long right now.
Attachment #8493185 - Flags: review?(iann_bugzilla)

Updated

4 years ago
Assignee: nobody → leofigueres
Status: NEW → ASSIGNED

Updated

4 years ago
Component: Security → Account Manager
Product: Thunderbird → MailNews Core
Version: unspecified → Trunk

Comment 15

4 years ago
Comment on attachment 8493185 [details] [diff] [review]
Removes the password information when account is deleted

>+++ b/mailnews/base/prefs/content/AccountManager.js

>+  // Remove password information.
>+  try {
>+    var tmpType = server.type;
You don't seem to use this variable anywhere.

>+    var srvConcatenation = server.type + "://" + server.hostName;
Tend to use "let" rather than "var". Not that keen on the variable name, maybe serverUri or serverUrl or just url
>+
>+    var logins = Services.logins.findLogins({}, srvConcatenation,
>+                                            null, srvConcatenation);
let
>+
>+    for (var i = 0; i < logins.length; i++) {
let
>+      if (logins[i].username==server.username) {
Need spaces around ==
>+        Services.logins.removeLogin(logins[i]);
>+        break;
>+      }
>+    }
>+  }
>+  catch (ex) {
>+    Components.utils.reportError("Failure when removing password: " + ex);
>+  }
f=me for the moment as I'd like to review the revised patch.
As this is shared code (between TB and SM), then it also needs a review from someone like mkmelin
Attachment #8493185 - Flags: review?(iann_bugzilla) → feedback+
(Assignee)

Comment 16

4 years ago
Created attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Changed var into let, renamed concatenated variable, removed unused variable and polished spaces.
Attachment #8496616 - Flags: review?(mkmelin+mozilla)
Attachment #8496616 - Flags: review?(iann_bugzilla)

Comment 17

4 years ago
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Review of attachment 8496616 [details] [diff] [review]:
-----------------------------------------------------------------

Seems to work fine, thx Javier!

::: mailnews/base/prefs/content/AccountManager.js
@@ +793,5 @@
> +      }
> +    }
> +  }
> +  catch (ex) {
> +    Components.utils.reportError("Failure when removing password: " + ex);

AFAIK there's nothing throwing here? so we don't need a try/catch
Attachment #8496616 - Flags: review?(mkmelin+mozilla) → review+

Comment 18

4 years ago
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Agreed, no need for try/catch
Attachment #8496616 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 19

4 years ago
Created attachment 8503647 [details] [diff] [review]
Remove stored password after the account is deleted, f+
(Assignee)

Comment 20

4 years ago
Comment on attachment 8496616 [details] [diff] [review]
Patch v1.0.1

Review and Feedback information has been included into the new patch.
Attachment #8496616 - Attachment is obsolete: true
(Assignee)

Updated

4 years ago
Attachment #8493185 - Attachment is obsolete: true
(Assignee)

Updated

4 years ago
Keywords: checkin-needed

Comment 21

4 years ago
https://hg.mozilla.org/comm-central/rev/961310d3535b -> FIXED
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 36.0

Updated

4 years ago
Keywords: checkin-needed
status-thunderbird36: --- → fixed

Updated

2 years ago
Depends on: 1308767
You need to log in before you can comment on or make changes to this bug.