Closed
Bug 486119
Opened 15 years ago
Closed 15 years ago
First e-mail is displayed despite Master Password box being unfilled
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 318697
People
(Reporter: vosqueentrais, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 Build Identifier: version 2.0.0.21 (20090302) Using Password Safe's "Perform Auto type" option too soon (while Thunderbird is still loading; before the Master Password box appears), sometimes opens the first email message, without any password being actually introduced and validated (the box remains empty). In other words, it's possible to read e-mail without a password. Other times the same action just applies a couple of tags to the first message. On both cases, "auto type" seems to act as a sequence of shortcut keys. Reproducible: Always Steps to Reproduce: 1.Open Password Safe (site: http://passwordsafe.sourceforge.net/ ) 2.Open Thunderbird 3.Click "Perform Auto type" in Password Safe (before Thunderbird was fully loaded) Actual Results: I could read the email top of the list, while the "Master Password" box was still on-screen (and empty). Closing Thunderbird will have the usual effect of leaving open messages available. Expected Results: A password is introduced, either: (a) Thunderbird is immediately capable of (at least) storing said password to be placed within the Master Password box when it's open, or (b) Nothing at all happens. What can't happen is Thunderbird being receptive to shortcut keys (if that's the problem) when a Master Password is required.
Comment 1•15 years ago
|
||
Thunderbird's master password only encrypts your saved account passwords, not the contents of any email messages which have been downloaded locally. Are you seeing those local messages, perhaps, before you enter the master password? I don't think this should remain a hidden security bug, but let's see if others agree.
(In reply to comment #1) > Thunderbird's master password only encrypts your saved account passwords, not > the contents of any email messages which have been downloaded locally. Are you > seeing those local messages, perhaps, before you enter the master password? > > I don't think this should remain a hidden security bug, but let's see if others > agree. I am seeing messages before entering the master password (mp). I've just read this at mozillazine ( http://kb.mozillazine.org/Master_password ): "A master password will not prevent others from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to." Since I'm prompted to introduce the mp as soon as Thunderbird starts, I thought its function was to restrict access to everything, not just the list of saved passwords within the options menu. If I was wrong about that, there's no bug.
Comment 3•15 years ago
|
||
That's right. The Master Password is to protect your saved passwords only.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
(In reply to comment #3) > That's right. The Master Password is to protect your saved passwords only. I know it's a different discussion, but why then does one need to enter the master password when opening Thunderbird, rather than when attempting to access the passwords (and failing to do so blocks access to the messages)? Why block Thunderbird if the password is wrong or even if pressing "cancel"?
Comment 5•15 years ago
|
||
(In reply to comment #4) > I know it's a different discussion, but why then does one need to enter the > master password when opening Thunderbird, rather than when attempting to access > the passwords (and failing to do so blocks access to the messages)? Why block > Thunderbird if the password is wrong or even if pressing "cancel"? When you start up Thunderbird, it will (by default) immediately try and access your mail accounts for new mail. Hence it needs to see if the passwords are stored, hence the prompt.
Updated•15 years ago
|
Resolution: INVALID → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•