Closed
Bug 537499
Opened 15 years ago
Closed 15 years ago
Master Password provides false sense of security!
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: thomas, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729) This is not a new security issue, probably existed ever since master password was first introduced. If I have Master Password enabled in FF and am prompted to type in my master password when I first try to open a website that requires a login and I have a stored authentication for it. However I only need to click cancel and FF will happily log me in. From then I have full access to everything that doesn't require me to manually type in a password on that website. FF is even loading the page(s) in the background in the browser window while the password requester is still visible and I haven't typed in the correct one. It is even worse if I have a saved session or recover from a crash when I start FF. Then all browser windows/tabs will load, happily sending authentications. Thus an unauthorized person will even be alerted to websites I have account on. It will prompt for the master password, but its still only to click cancel and full access to those website account will in most cases be available. Only websites with high security that log me out after x amount of inactivity and requires me to manually type in a password/code, such as internet banking, that is not/can't be stored in FF is safe. Conclusion: This renders the master password requester completely useless for anything but the possibility to read the passwords in plain text "Options/Security/Saved Passwords..."! The result of this is that users will get a false sense of security, while they are in reality not protected at all, except from reading the passwords in plain text. It is not possible for the user to be in control of what for example a third party that has temporary physical access to the computer will be able to access, even if FF is not running. They just need to start it. Proposed solution: For the master password to be usable for anything outside "Options/Security/Saved Passwords..." a much more granular configuration is needed. 1 - Minimum protection is that it is needed to read (plain text) or change existing password in Options. This also need to have a timer so that after a configured time the requesters where I view or change my saved passwords are closed or locked until I provide it again. 2 - Total control and configuration of how passwords are used outside Options. - Before FF even send a request to a website, where I have a stored authentication I must enter the correct master password. - In that requester there will be an option to not send it and the page will then load without sending authentication, thus the browser will not be logged in. - A hotkey to lock down any, or all, open browser windows or tabs that are using authentication. FF will then stop any activity in those windows, or tabs, as well as access to even view any information visible in them. - A timer that kicks in and locks any windows/tab needing authentication after x amount of time not using actively. - Password needed after waking up the computer from hibernation, stand by, etc. As well as if password is required to unlock computer from screen saver. - Option to require password for every manual requestion triggered to a website. - Optionally be able to configure individual authentications more granular. With the above all websites and all information accessed using FF will be completely protected and secure. At the same time any page not needing authentication wont be affected. I can thus quickly lock everything, using the hotkey, and still let a third party temporarily use the computer without having to close down Firefox. Of course, the above will only protect access to the information from within FF. It wont protect against direct access to the files on the computer. To solve that encryption and other security features will optionally be needed for storing any content needing authentication. This is especially important for when https is not used. Reproducible: Always Steps to Reproduce: Se details. Actual Results: No information protection. Expected Results: No access to any information or features on websites without providing the master password requiring authentication.
Reporter | ||
Comment 1•15 years ago
|
||
Added link to similar bug submission for Thunderbird.
See Also: → 537497
that's abuse. and the fact that you filed two bugs is spam.
See Also: 537497 →
sorry, this is a waste of time. the feature is well documented and google i'm feeling lucky yields a page for it: http://kb.mozillazine.org/Master_password that page doesn't seem particularly bad. bugs should be about bugs, not spam. you've abused our database. if you want to have a diatribe, please use a newsgroup. when you have a concrete bug "please change the help on page foo from bar to baz" please feel free to file _ONE_ real and concise bug.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•