Open Bug 581452 Opened 14 years ago Updated 2 years ago

The signons3.txt file in %appdata% folder does'nt get deleted after i remove the passwords using UI

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.6 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: kuldeep.bora, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

After clearing the passwords using the Tools->Options->Security->Saved Passwords->Remove All , The encrypted passwords still remain in the signons3.txt file in %Appdata%\Mozilla\Firefox\Profiles\{profilefolder} folder. Along with cert8.db and key3.db decrypting the passwords are possible.

Reproducible: Didn't try




Deleting the content of signons.txt should'nt be a problem to other users using the same installation of firefox again.
Version: unspecified → 3.6 Branch
Reproducible: Always

What I mean is nearly the same: Untouched signons#.txt files after sqlite editing on FF3.

In my view this is a severe data privacy issue. Joe Average Firefox user knows nothing about the txt-sqlite-changement and will trusts the dialogs, which may be misleading and a potential private data leak.

This is the long story:
[
A few weeks before I was shrinking my Firefox profile directory, and stumbled (again) across those sqlites. I did a research, got an idea, did a test and were stunned.  This is what I did last week to reproduce the test:

- Take a profile that exists since FF2 (or earlier) and was used under FF3.
- Recheck that there is a bookmarks.html, a places.sqlite, those signons#.txt, a signons.sqlite and so on.
- Start a FF3 on this profile and delete all private data. This does not seem to work for my FF, so I deleted all stored passwords and checked after a restart their absent.
- See that the signons.sqlite has changed (kind of nulled) but that the signons2/3.txt files kept as they were.
- Start a FF2 on this profile (e.g. a Portable Firefox 2.0.0.17), go to the stored passwords dialog and get a shock, as here are all your passwords you had just before Firefox switched from txt to sqlite!
]

Either every action like removing password or changing master password has to be done also on those old txt files. But as compatibility with older FF1/2 versions is 'usually' not needed, FF3 should, when startet on a profile with existing txt files instead of sqlite ones, ask the user if he accepts a clean conversion, or if he wants to be risky and let them there, e.g. until he updated all his workstations to FF3.

This does not only concern passwords, but also history, cookies etc.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.