Closed Bug 286650 Opened 19 years ago Closed 19 years ago

Able to view saved passwords from tools -> saved passwords

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 259996

People

(Reporter: ahmet.ozman, Assigned: bryner)

Details

Attachments

(1 file)

toolkit.jar
348.81 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

I am from IT department of RMIT University, Melbourne Australia. (www.rmit.edu.au)
In our office we are promoting firefox to be the default browser and we also
love the product. But we realise it is no good in an office enviroment that
firefox displays saved passwords. Is it possible to get an update to disable
this feature since it is a big security threat for us. I understand the fact
that it might me useful for the home user but for a big organisation it is a
security issue. May be  in the next release this feature can be optional. Thanks
in advance.  

Reproducible: Always

Steps to Reproduce:
tools -> options -> privacy -> Saved Passwords -> View Saved Passwords -> Show
Passwords
Actual Results:  
Anyone can learn others usernamename and their passwords easily. 

Expected Results:  
Disable this feature (able to view saved passwords).
Summary: Able to view saved passwords from saved passwords → Able to view saved passwords from tools -> saved passwords
Version: unspecified → 1.0 Branch
This is a known feature, not a security exploit so I'm removing the confidential
flag. 

Why aren't you using your OS login for security? Windows XP has farily capable
support for users. As long as you log out of Windows, other users on that
machine shouldn't be able to view your passwords.
Group: security
First 400+ staff members has to login to their the network therefore we do have
a login for all machines. Plus I dont think any staff memeber will log out from
their machine when they goto toilet, meeting or coffe break or lunch. Cheers
Attached patch toolkit.jarSplinter Review 

    
    

    
  
To hide saved passwords in Firefox, follow these steps:

(But if firefox dev team could add an feature on the installation process i
think it would make firefox more secure and much more practical for big
organisations which use firefox as default browser)

1. Close Firefox
2. Rename the file C:\Program Files\Mozilla Firefox\chrome\toolkit.jar to
toolkit.jar.old
3. Copy the attached file toolkit.jar into the above folder (which is attached)

Ahmet Ozman


    
    

    
  
Note that hiding the feature does not hide the password file, and anyone with
access to the machine could copy the file and look at it on their own machine.
It'd take slightly longer than hitting the button on the dialog, but if the
victim was at lunch as opposed to in the bathroom that's not a problem.

A much better solution is to encourage the use of a "Master Password" (Firefox
would in fact be more secure if it required one before enabling the password
saving feature, but some people save only low-value passwords and feel their
personal home machine is secure). With a master password set you are prompted
for it before it will display the passwords on that dialog.

Hacking toolkit.jar is a VERY bad idea, you'll have to re-do it everytime you
upgrade your installation to a new Firefox. Much better to do this as an
extension or userChrome.css trick.

In each concerned user's userChrome.css (search mozilla.org site) you could add
a line something like

 dialog#signonviewer button#togglePasswords { display:none }

Alternately, an extension to hide the user names column can be found at
http://s93731204.onlinehome.us/firefox/hideusernames.html -- Take this as a
sample only. In the overlay, instead of
 <treecol id="userCol" hidden="true"/>
you'd want to hide the show-password button.
 <button id="togglePasswords" hidden="true"/>

You can package an extension with Firefox as you roll it out to your users.

*** This bug has been marked as a duplicate of 259996 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE

    
    

    
  
Disabling 'view passwords' is bug 259996, but it's only a stop-gap. Bug 259648
(require master password when viewing passwords) would be the real fix.

Workaround is to require every user to set his/hers master password. But you
know that 90% of the users wouldn't listen to your advice :-)

> Plus I dont think any staff memeber will log out from
> their machine when they goto toilet, meeting or coffe break or lunch.

Since people always forget to lock their machines, you have have more problems
that just the password. I can also read & destroy their mail, access sensitive
websites whose passwords are saved, etc ...
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: