Open
Bug 581452
Opened 14 years ago
Updated 2 years ago
The signons3.txt file in %appdata% folder does'nt get deleted after i remove the passwords using UI
Categories
(Firefox :: Security, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: kuldeep.bora, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 After clearing the passwords using the Tools->Options->Security->Saved Passwords->Remove All , The encrypted passwords still remain in the signons3.txt file in %Appdata%\Mozilla\Firefox\Profiles\{profilefolder} folder. Along with cert8.db and key3.db decrypting the passwords are possible. Reproducible: Didn't try Deleting the content of signons.txt should'nt be a problem to other users using the same installation of firefox again.
Reproducible: Always What I mean is nearly the same: Untouched signons#.txt files after sqlite editing on FF3. In my view this is a severe data privacy issue. Joe Average Firefox user knows nothing about the txt-sqlite-changement and will trusts the dialogs, which may be misleading and a potential private data leak. This is the long story: [ A few weeks before I was shrinking my Firefox profile directory, and stumbled (again) across those sqlites. I did a research, got an idea, did a test and were stunned. This is what I did last week to reproduce the test: - Take a profile that exists since FF2 (or earlier) and was used under FF3. - Recheck that there is a bookmarks.html, a places.sqlite, those signons#.txt, a signons.sqlite and so on. - Start a FF3 on this profile and delete all private data. This does not seem to work for my FF, so I deleted all stored passwords and checked after a restart their absent. - See that the signons.sqlite has changed (kind of nulled) but that the signons2/3.txt files kept as they were. - Start a FF2 on this profile (e.g. a Portable Firefox 2.0.0.17), go to the stored passwords dialog and get a shock, as here are all your passwords you had just before Firefox switched from txt to sqlite! ] Either every action like removing password or changing master password has to be done also on those old txt files. But as compatibility with older FF1/2 versions is 'usually' not needed, FF3 should, when startet on a profile with existing txt files instead of sqlite ones, ask the user if he accepts a clean conversion, or if he wants to be risky and let them there, e.g. until he updated all his workstations to FF3. This does not only concern passwords, but also history, cookies etc.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•