Closed Bug 438356 Opened 16 years ago Closed 15 years ago

Passwords stored in plaintext file passwords.json

Categories

(Cloud Services :: General, defect, P1)

Product:
Cloud Services
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bugzilla, Unassigned)

References

Details

(Whiteboard: [sg:high]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 0.1.30

I set up Weave to synchronize all my data, including my stored passwords.

I have just noticed a file called passwords.json present in my weave directory that contains all of my stored password data in plaintext. My stored passwords are stored encrypted with a master password and should never be exposed like this.

The file was still there even after I exited Firefox.

Reproducible: Always

Steps to Reproduce:
1. Set a master password for Firefox's password manager.
2. Save a password
3. Set Weave to synchronize stored passwords
4. Synchronize
Actual Results:  
passwords.json file in weave profile directory contains all stored passwords in plaintext.

Expected Results:  
Passwords are not stored in a plaintext file on disk.
we're going to pref passwords off by default for 0.2, but we should definitely deal with this in 0.3 as well as providing support for master passwords
Priority: -- → P1
Target Milestone: -- → 0.3
Status: UNCONFIRMED → NEW
Ever confirmed: true
I just installed 0.2.0, and stored password sync is not turned off by default.
It is off by default, but if you previously had it manually set on, that preference sticks.

That is, the setup wizard's checkboxes only reflect the current prefs, and the default value (fresh install, new profile) should be everything except passwords and forms on.
Just found out about it... A genuine WTF!? moment :p

There should be some kind of service announcement explicitly stating that all data is stored plain and accessible, because, quiet frankly, I wasn't expecting this at all, and I guess I'm not alone. After all the stuff that weave stores on a server is encrypted and that let me assume that any local stuff would be encrypted as well.

Made me think of the chrome-path-transversal bug again (bug #413250 / #413451). But now not only sessionstore.js would have been affected. :p

And please consider encrypting all data you store on hdd, not just passwords.
The idea of an attacker exploiting some similar future path-transversal bug in fx or some extension to read cookies.json isn't that great either.
These bugs need to be triaged, removing 0.3 milestone setting.
Target Milestone: 0.3 → Future
(Transferring [sg:high] status from duplicate-bug 440832)

Note that this bug isn't testable in currently-available Weave (e.g. ver 0.2.100), because password-syncing hasn't yet been implemented with Weave's new backend.  I think that work is being tracked in bug 440832.
Whiteboard: [sg:high]
OS: Windows XP → All
I don't have access to bug 440832.

The password engine we're implementing for 0.3 does not require a snapshot at all, and so there will be no passwords.json on disk.
Blocks: 468697
Hardware: x86 → All
Target Milestone: Future → 0.3
(In reply to comment #8)
> I don't have access to bug 440832.

I just un-hid that bug, so it should be accessible now. It's the same as this one.

> The password engine we're implementing for 0.3 does not require a snapshot at
> all, and so there will be no passwords.json on disk.

Awesome, so this should be fixed going forward.

However, is it possible that people who were affected by this bug in the past would still have a residual passwords.json file sitting in their profile directory?  And if so, is there any way we can make updated Weave builds flush that out?
latest builds delete this file if it exists.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Component: Weave → General
Product: Mozilla Labs → Weave
QA Contact: weave → general
You need to log in before you can comment on or make changes to this bug.