Closed
Bug 440832
Opened 17 years ago
Closed 16 years ago
Weave's client-side storage of passwords is unencrypted
Categories
(Cloud Services :: General, defect)
Cloud Services
General
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 438356
People
(Reporter: avarma, Unassigned)
Details
(Whiteboard: [sg:dupe 438356])
Even if encryption is enabled in the preferences, the file 'weave/snapshots/passwords.json', relative to the user's profile directory, appears to be unencrypted.
While Weave is alpha-quality software at the moment and not too many people are using it, I'm nonetheless marking this ticket as confidential just in case. Feel free to unmark it if you don't think it needs to be.
|
Reporter | |
Comment 1•17 years ago
|
||
By the way, I talked to Myk about this on Friday and he said that he thought it was already in Bugzilla, so this could be a duplicate, I'm just not sure which bug (if any) it's a duplicate of.
|
||
Comment 2•16 years ago
|
||
This file should be protected from web pages by profile salting and CheckLoadURI checks, but both of those have been bypassed in the past by security bugs at various times. And of course it's wide open to abuse by any local user-priv program running on your machine.
Whiteboard: [sg:high]
|
||
Comment 3•16 years ago
|
||
FWIW, Weave versions from after the switch away from WebDAV (including current version 0.2.100) don't support synchronizing passwords anymore.
Once password-support is reimplemented for the new framework, it'd be good to look into this again -- depending on how it's implemented, this may be fixed in the new version.
|
|
||
Comment 4•16 years ago
|
||
(In reply to comment #3)
> Once password-support is reimplemented for the new framework
I think that's being done in bug 468697.
|
|
||
Comment 5•16 years ago
|
||
This bug is the same as bug 438356. I'm marking this one as a dupe since the other one was filed earlier and has gotten some attention from cbeard and thunder.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 6•16 years ago
|
||
Regarding this bug's security-sensitive status -- since bug 438356 has been open longer than this once, and sine this bug doesn't have anything security-sensitive that's not also mentioned in bug 438356, I think we should open this bug up.
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6)
> ...longer than this once, and sine this bug...
Er, sorry for the typos: s/once/one/, s/sine/since/
(Also, note that bug 438356 *isn't* marked as security-sensitive -- I meant to mention that in my previous comment -- so anyway, this information has been accessible to the world on that bug for a long time now.)
|
|
||
Comment 8•16 years ago
|
||
I completely agree.
|
|
||
Comment 9•16 years ago
|
||
Un-hiding this bug, after talking to dveditz on IRC.
Group: mozilla-corporation-confidential, core-security
Whiteboard: [sg:high] → [sg:dupe 438356]
|
|
||
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
||
Updated•16 years ago
|
Component: Weave → General
Product: Mozilla Labs → Weave
Target Milestone: -- → ---
|
|
||
Updated•16 years ago
|
Component: Weave → General
Product: Mozilla Labs → Weave
Target Milestone: -- → ---
|
||
Updated•16 years ago
|
QA Contact: weave → general
You need to log in
before you can comment on or make changes to this bug.
Description
•