Closed Bug 286650 Opened 20 years ago Closed 20 years ago

Able to view saved passwords from tools -> saved passwords

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 259996

People

(Reporter: ahmet.ozman, Assigned: bryner)

Details

Attachments

(1 file)

toolkit.jar
348.81 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 I am from IT department of RMIT University, Melbourne Australia. (www.rmit.edu.au) In our office we are promoting firefox to be the default browser and we also love the product. But we realise it is no good in an office enviroment that firefox displays saved passwords. Is it possible to get an update to disable this feature since it is a big security threat for us. I understand the fact that it might me useful for the home user but for a big organisation it is a security issue. May be in the next release this feature can be optional. Thanks in advance. Reproducible: Always Steps to Reproduce: tools -> options -> privacy -> Saved Passwords -> View Saved Passwords -> Show Passwords Actual Results: Anyone can learn others usernamename and their passwords easily. Expected Results: Disable this feature (able to view saved passwords).
Summary: Able to view saved passwords from saved passwords → Able to view saved passwords from tools -> saved passwords
Version: unspecified → 1.0 Branch
This is a known feature, not a security exploit so I'm removing the confidential flag. Why aren't you using your OS login for security? Windows XP has farily capable support for users. As long as you log out of Windows, other users on that machine shouldn't be able to view your passwords.
Group: security
First 400+ staff members has to login to their the network therefore we do have a login for all machines. Plus I dont think any staff memeber will log out from their machine when they goto toilet, meeting or coffe break or lunch. Cheers
Attached patch toolkit.jarSplinter Review
To hide saved passwords in Firefox, follow these steps: (But if firefox dev team could add an feature on the installation process i think it would make firefox more secure and much more practical for big organisations which use firefox as default browser) 1. Close Firefox 2. Rename the file C:\Program Files\Mozilla Firefox\chrome\toolkit.jar to toolkit.jar.old 3. Copy the attached file toolkit.jar into the above folder (which is attached) Ahmet Ozman
Note that hiding the feature does not hide the password file, and anyone with access to the machine could copy the file and look at it on their own machine. It'd take slightly longer than hitting the button on the dialog, but if the victim was at lunch as opposed to in the bathroom that's not a problem. A much better solution is to encourage the use of a "Master Password" (Firefox would in fact be more secure if it required one before enabling the password saving feature, but some people save only low-value passwords and feel their personal home machine is secure). With a master password set you are prompted for it before it will display the passwords on that dialog. Hacking toolkit.jar is a VERY bad idea, you'll have to re-do it everytime you upgrade your installation to a new Firefox. Much better to do this as an extension or userChrome.css trick. In each concerned user's userChrome.css (search mozilla.org site) you could add a line something like dialog#signonviewer button#togglePasswords { display:none } Alternately, an extension to hide the user names column can be found at http://s93731204.onlinehome.us/firefox/hideusernames.html -- Take this as a sample only. In the overlay, instead of <treecol id="userCol" hidden="true"/> you'd want to hide the show-password button. <button id="togglePasswords" hidden="true"/> You can package an extension with Firefox as you roll it out to your users. *** This bug has been marked as a duplicate of 259996 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Disabling 'view passwords' is bug 259996, but it's only a stop-gap. Bug 259648 (require master password when viewing passwords) would be the real fix. Workaround is to require every user to set his/hers master password. But you know that 90% of the users wouldn't listen to your advice :-) > Plus I dont think any staff memeber will log out from > their machine when they goto toilet, meeting or coffe break or lunch. Since people always forget to lock their machines, you have have more problems that just the password. I can also read & destroy their mail, access sensitive websites whose passwords are saved, etc ...
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: