Firefox Sync syncs passwords in the clear between devices, even though a Master Password is set on the originating device.



9 years ago
9 years ago


(Reporter: justdave, Unassigned)


Firefox Tracking Flags

(Not tracked)


Steps to reproduce:
1. Set a master password on your desktop machine.
2. Save some passwords in your password manager.
3. Install Firefox Sync and set it up (syncing passwords is enabled by default).
4. Install Fennec on a mobile device
5. Sync your Fennec to the same Firefox Sync profile you created above.
6. Visit a site that uses a saved password.

Actual results:
- Password is autofilled, with no prompt for a master password.

Expected results:
- Since the master password was set on the originating device, regardless of encryption key for transport, that master password should be required to access the passwords on any other device they get synced to.  If this would prevent the feature from working at all (f.e. Fennec doesn't support master passwords yet - bug 540769) the user should be prompted for permission to sync them unencrypted before it does so.  For bonus points, I'd have the sync extension add a column to the password manager to select which passwords that you want synced if we can't keep them encrypted in transport.

My preference would be that by default, they get stored in the profile still encrypted with that same encryption key that they would be stored with in the local profile.

Here's what scares me:

I routinely use my desktop machine to access banking websites.  I now know that, without my prior knowledge, the passwords for these sites are now stored in cleartext on my mobile device (which could much more easily get stolen or lost, etc).  This is why I'm marking this as a security bug.
There is currently a discussion about this issue in Bug 540975 .

We can bring up the issue during their weekly meeting
See Also: → bug 540975
Group: client-services-security
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 540975
Component: Needs Triage → General
QA Contact: needstriage → general
You need to log in before you can comment on or make changes to this bug.