creating new profile gives access to saved passwords despite use of master password in first profile




Password Manager
9 years ago
9 years ago


(Reporter: Shi Sherebrin, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:needinfo])



9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4

I found, after creating a new profile, that my saved passwords from a previous profile were all visible, even though they were protected by a master password in the first profile.

Reproducible: Always

Steps to Reproduce:
1. Save some passwords, protect them with Master Password
2. Create new profile
3. Browse saved passwords in the new profile
Actual Results:  
passwords are visible

Expected Results:  
passwords should not be visible
Was it just those steps, you created the new profile without removing the old one, and you picked a new profile name and directory for it?

Had you removed the previous profile?

If you removed it did you choose the option to delete the files or did you just delete the entry in the profile manager?

Did you create the new profile in the same directory as the old one? Normally that should not happen without intervention, even if you pick the same profile name the directory itself should have a random bit.

Was the old profile created with Firefox 3.1/3.5 or was this left over from Firefox 3.0 or earlier?
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
Whiteboard: [sg:needinfo]
More questions for the reporter.

1. Did you save the site passwords, and then establish a master password?
Or did you establish the master password and then save the site passwords?

2. There are several ways to create a new profile. Which method did you use?

3. Do you mean that the passwords entered into the first profile also appear 
in the second profile, as if they had also been entered into the second profile?  Or do you mean that you're somehow able to examine the contents of
the first profile while using the second one?

Comment 3

9 years ago
- created new profile without removing previous (there was only default) one
- gave it a name, did not actively choose directory for it (looking at my profiles folder I can see that it did get a different folder)
- did not remove any previous profile
- original profile would be from pre-3.0

- I can't recall which order I set up the passwords; I don't normally save passwords, but decided to do so for Weave.  I think I probably told it to save the passwords first, then went in and set a master password (unless, does it give the option to set a master pwd as you're saving a regular one?)
- created new profile by using Start->Run (actually Win+R), firefox -P, then clicked the button to create a new profile
- passwords appear in the second profile as if they'd been entered there
Are you using Weave in the new profile? You know it syncs passwords, right?

Comment 5

9 years ago
Yes I had to install the Weave again - I know about password sync, which I have never used; I always uncheck that box when I set up the prefs

Comment 6

9 years ago
My apologies for spinning your wheels (and mine) - while going through the steps of trying to reproduce this on another machine, I realized that part of the process of installing the Weave plugin involves entering my password - since the default for a new profile is to save passwords, this must be what happened.  Since I don't have any other passwords stored in my first profile, I was fooled by the identical appearance of the password display area between the two profiles.
Last Resolved: 9 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.