Open
Bug 438354
Opened 17 years ago
Updated 2 years ago
password kept around unencrypted and easily accessible from JS for an unnecessarily long time
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
NEW
People
(Reporter: teramako, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9) Gecko/2008052912 Firefox/3.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008060803 Thunderbird/3.0a2pre password of plain text can be found out from javascript (document.defaultView.gMsgFolderSelected.server.password) when imap account folder is selected. Reproducible: Always Steps to Reproduce: 1.Select an imap account folder 2.Open DOM Inspector 3.see document.defaultView.gMsgFolderSelected.server from "JavaScript Object" Actual Results: imap account password of plain text can be found out in JavaScript Object tree
Comment 1•17 years ago
|
||
That's expected isn't it? If you get chrome privs you can do and access whatever you want.
>That's expected isn't it? If you get chrome privs you can do and access
whatever you want.
yes, that is.
but I think that is too easy to find out.
All passwords should be encrypted.
Comment 3•17 years ago
|
||
(In reply to comment #2) > >That's expected isn't it? If you get chrome privs you can do and access > whatever you want. > yes, that is. > but I think that is too easy to find out. > > All passwords should be encrypted. Passwords have to be decrypted at some stage. You could get a password straight from the password manager by using an appropriate javascript construct. You can also easily find out your password from going into the password manager and selecting show passwords. I guess what I'm trying to say, is even if we removed/encrypted that instance, there would still be plenty of other ways to get at the passwords if you have chrome privs. Dan/David, what do you two think?
Comment 4•17 years ago
|
||
In an ideal world, there'd be some toolkit interface specifically for holding sensitive data which contains memory that's plock()ed to keep it from being written to swap, zeroed out after use, etc. Passwords would be only decrypted on demand into such buffers, which would be immediately destroyed after use, etc. Back to reality, if someone wants to submit a patch that moves us in this direction, or does something else reasonable, it'd be worth considering. That said, I don't think this provides enough benefit that I'd want to trade away any of the other work that's currently happening in favor of this. Having chrome privileges is equivalent to having the keys to the kingdom, and attempting to defend against attackers after they've already got that seems low priority to me.
Summary: password of plain text can be found out from javascript → password kept around unencrypted and easily accessible from JS for an unnecessarily long time
Comment 5•17 years ago
|
||
(In reply to comment #4) > Back to reality, if someone wants to submit a patch that moves us in this > direction, or does something else reasonable, it'd be worth considering. That > said, I don't think this provides enough benefit that I'd want to trade away > any of the other work that's currently happening in favor of this. Having > chrome privileges is equivalent to having the keys to the kingdom, and > attempting to defend against attackers after they've already got that seems low > priority to me. > Confirming bug so that it doesn't get lost.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Version: unspecified → Trunk
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•