Canceling the master password prompt lets you read offline mail messages

VERIFIED DUPLICATE of bug 318697

Status

Thunderbird
Security
--
enhancement
VERIFIED DUPLICATE of bug 318697
8 years ago
8 years ago

People

(Reporter: Carl Menezes, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b2pre Thunderbird/3.0

It is not clear that the master password does not protect your offline mail messages from being read.

I realize that the master password is there to protect your login credentials to mail servers. However, if offline access is enabled on an IMAP account, the messages are downloaded and canceling the master password dialog allows you to read past mail messages, even though it does not allow you to fetch new messages.

To me, a master password should protect access to everything. If it only protects logins, it should be called the login password, to make it clear that there is a loop hole. Mail messages are pretty personal and there should be a mechanism to protect access to them, even when they have been downloaded for offline access.

Reproducible: Always

Steps to Reproduce:
1. Use an IMAP account. 
2. Enable Offline access.
3. Set a master password. 
4. Fetch your mail messages. Restart once done.
5. On restart, click cancel when prompted for the master password.
Actual Results:  
The dialog goes away and you're allowed to click on messages that have been downloaded and read them.

Expected Results:  
You should not have access to anything, except maybe a mechanism to remind you of the master password. If you have forgotten it, well then you would need to setup everything from scratch.

There really needs to be SOME mechanism that allows a user to secure access to mail with a single password.
See also bug 16489, bug 35308
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 318697
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.