Open Bug 438354 Opened 17 years ago Updated 2 years ago

password kept around unencrypted and easily accessible from JS for an unnecessarily long time

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

People

(Reporter: teramako, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9) Gecko/2008052912 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008060803 Thunderbird/3.0a2pre

password of plain text can be found out from javascript (document.defaultView.gMsgFolderSelected.server.password)
when imap account folder is selected.

Reproducible: Always

Steps to Reproduce:
1.Select an imap account folder
2.Open DOM Inspector
3.see document.defaultView.gMsgFolderSelected.server from "JavaScript Object"
Actual Results:  
imap account password of plain text can be found out
in JavaScript Object tree
That's expected isn't it? If you get chrome privs you can do and access whatever you want.
>That's expected isn't it? If you get chrome privs you can do and access
whatever you want.
yes, that is.
but I think that is too easy to find out.

All passwords should be encrypted.
(In reply to comment #2)
> >That's expected isn't it? If you get chrome privs you can do and access
> whatever you want.
> yes, that is.
> but I think that is too easy to find out.
> 
> All passwords should be encrypted.

Passwords have to be decrypted at some stage. You could get a password straight from the password manager by using an appropriate javascript construct. You can also easily find out your password from going into the password manager and selecting show passwords.

I guess what I'm trying to say, is even if we removed/encrypted that instance, there would still be plenty of other ways to get at the passwords if you have chrome privs.

Dan/David, what do you two think?
In an ideal world, there'd be some toolkit interface specifically for holding sensitive data which contains memory that's plock()ed to keep it from being written to swap, zeroed out after use, etc.  Passwords would be only decrypted on demand into such buffers, which would be immediately destroyed after use, etc.  

Back to reality, if someone wants to submit a patch that moves us in this direction, or does something else reasonable, it'd be worth considering.  That said, I don't think this provides enough benefit that I'd want to trade away any of the other work that's currently happening in favor of this.  Having chrome privileges is equivalent to having the keys to the kingdom, and attempting to defend against attackers after they've already got that seems low priority to me.
Summary: password of plain text can be found out from javascript → password kept around unencrypted and easily accessible from JS for an unnecessarily long time
(In reply to comment #4)
> Back to reality, if someone wants to submit a patch that moves us in this
> direction, or does something else reasonable, it'd be worth considering.  That
> said, I don't think this provides enough benefit that I'd want to trade away
> any of the other work that's currently happening in favor of this.  Having
> chrome privileges is equivalent to having the keys to the kingdom, and
> attempting to defend against attackers after they've already got that seems low
> priority to me.
> 
Confirming bug so that it doesn't get lost.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Version: unspecified → Trunk
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.