I manage to get arround the Master Password Dialog for Software Security Device!

RESOLVED DUPLICATE of bug 318697

Status

Thunderbird
Security
--
critical
RESOLVED DUPLICATE of bug 318697
11 years ago
9 years ago

People

(Reporter: Viktor Stojanovski, Assigned: dveditz)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.6;MEGAUPLOAD 1.0
Build Identifier: version 2.0.0.9 (20071031)

I enabled the Master Password function.When i start the application, the master password dialog appear and normaly, i have to put the password. Everything is fine with the application functions when i wrote the password: But, if you start to press cancel button on the Password dialog 8 times in a roll, it just disapear and you can read all messages from all the accounts, download the atachments, Manipulate and Delete the messages, Change Any options inside the program etc. 
But, the god thing is that if you try to download new messages, Master Password Dialog returns, requesting password and you can`t get around that dialog, and you can`t change the master password inside options. Beside that you can do anything you want.
I try to reinstall, disable master password function and etc, but the bug remains.

Bug Procedure:
!Start Thunderbird!
-Master Password Dialog Appears > Press Cancel 1 time;
-Master Password Dialog Appears > Press Cancel 2 time;
--Random Existing User Account Password Dialog Appears > Press Cancel 3 time;  
-Master Password Dialog Appears > Press Cancel 4 time;
-Master Password Dialog Appears > Press Cancel 5 time;
-Master Password Dialog Appears > Press Cancel 6 time;
-Master Password Dialog Appears > Press Cancel 7 time;
--Random Existing User Account Password Dialog Appears > Press Cancel 8 time:
!!ThunderBird Loaded!!

And then you can read all of the messages from any accounts, download the atachments, Manipulate and Delete the messages, Change Any options inside the program, and do some serious damage in any way the application allows you. 

So i think this is an Big Problem. Its just a matter of time, before this bugs spreads on the net. I always triple check the master password functions on the apps, and this is one of the first tests that i perfomed. I was using some others mail clients at my workplace, and then deside to try the new version of Thunderbird. I wait for your fix, so i continue using this great software.
10x.

Regards,

Viktor C. Stojanovski

Reproducible: Always

Steps to Reproduce:
1.
2.
3.



From addons i have ThunderBrowse.
The master password isn't meant to protect your mail or the application itself, it just controls "protected" data (mail server login credentials, in this case). It wouldn't be much use to have it protect settings and access to the on-disk mail unless those were also encrypted. It sounds like what you want from the master password is already filed as bug 231261.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

11 years ago
The Master password isn`t meant to protect my mail or the application?
If this function just protect my login creds. i dont have any use of it at my work place. I can eventualy use this app only in home enviroment, and even there i can`t protect my privacy. Just imagine work conditions where anybody with acess to your PC, can read, manipulate and delete any message from your inbox. My company works 24 hours, and we commonly share our workstations which is sometimes fine when we talk about work mail, but what about private readings? Privacy? Anyone?

Master pass means Master Protection. If you don`t know the password, you can`t use any part of the application. That is how it`s supposed to be. 

Well Gavin, why then use Thunderbird? So i can just manage couple of accounts at the same time? Not reason enough i think. Securing personal privacy on Mail clients must be a first priority for developers.

I can always change my passwords on my mail servers, but i can never recover damage from malicious reading, deleting and manipulating bussines and private mail.

Anyhow, 10x for your time.
Resolution: INVALID → WONTFIX
Vikto: I'm not sure what you expect me to say - I'm not a Thunderbird developer, and there are already bugs filed about implementing a feature like the one you've described here (bug 231261). I'm just pointing out that the current Master Password in Thunderbird is not that feature.
Resolution: WONTFIX → INVALID
Duplicate of this bug: 434566
(Assignee)

Comment 5

10 years ago
(In reply to comment #2)
> The Master password isn`t meant to protect my mail or the application?

Shared computers should use separate OS logins (not administrator privileged) for each user. Otherwise the files are easily accessible to anyone whether the application itself tries to lock you out with a password. This is equally true of competing mail programs.

Your choices for mail privacy on a shared computer are
 - keep the mail remote (e.g. web-based mail, or on a USB memory stick
   you carry with you). IMAP doesn't really fit
   the bill because header info is still stored locally and
   that can be a privacy issue
 - encrypt all your mail (S/MIME or, with the Enigmail addon, PGP).
   requires all your correspondents to do likewise
 - use OS-level protection of user files
Resolution: INVALID → DUPLICATE
Duplicate of bug: 318697
You need to log in before you can comment on or make changes to this bug.