Closed
Bug 600881
Opened 14 years ago
Closed 14 years ago
Able to copy password from password manager without entering master password
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
RESOLVED
DUPLICATE
of bug 571997
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: david, Unassigned)
Details
(Keywords: privacy, regression, Whiteboard: [sg:low local password loss])
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b7pre) Gecko/20100930 Firefox/4.0b7pre Build Identifier: 4.0b7pre I have passwords stored. If you enter the master password key once, you get into the password manager. You can then right-click on any password and Copy Password, and it copies the password out. However the "Show Passwords" button requires further confirmation by entering the master password again. I would think that both of these operations should require the master password, or neither. Reproducible: Always Steps to Reproduce: 1. Open password manager and type in master password 2. Right-click on password key, and select "Copy Password" 3. Password can be pasted anywhere Actual Results: Password is copied to clipboard in the clear Expected Results: Prompted for master password again like "Show Passwords" button requires, or not copied password I don't think it's a critical security error as just entering the dialog still requires a master password, but I'm erring on the side of caution in selecting the Security box
Comment 1•14 years ago
|
||
Confirming. New feature in FF4 (bug 566910) so older branches unaffected. The behavior is inconsistent and broken, but maybe in practice not much worse than the current (FF 3.6) dialog: * if passwords hadn't been used (attacker launches Firefox from the desktop?) then you have to know the master password (no exploit here) * if the victim had already used the MPw once that session the local snooper can open the password list. a. see interesting site in the list b. open the site (password is filled for you) c. use javascript: or inspector to get the value of the password This new FF4 behavior makes the problem so easy anyone can do it, whereas figuring out steps b and c may have protected you from the average person (but not from anyone marginally competent with web technology). We have other bugs on the fact that the sites and user names alone are valuable information. Perhaps we can solve both problems by moving the Master Password requirement from the "Show Passwords" button to opening the "Saved Passwords" dialog at all (whether the Master Password had been previously used in that session or not). Benefits: 1. "Copy Password" is as protected as "Show Passwords" 2. user name and site info is also protected
Assignee: nobody → dolske
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Ever confirmed: true
Keywords: privacy
Whiteboard: [sg:low local password loss]
Updated•14 years ago
|
Blocks: 566910
Keywords: regression
Comment 2•14 years ago
|
||
This is actually a dupe of bug 571997. Don't know if duping it has security implications.
OS: Windows 7 → All
Hardware: x86 → All
Version: unspecified → Trunk
Comment 3•14 years ago
|
||
Since you've already entered your master password, I don't think this needs to block.
blocking2.0: ? → -
Component: Security → Password Manager
Product: Core → Toolkit
QA Contact: toolkit → password.manager
Updated•14 years ago
|
Assignee: dolske → nobody
No longer blocks: 566910
Group: core-security
Status: NEW → RESOLVED
blocking2.0: - → ---
Closed: 14 years ago
Component: Password Manager → Security
Product: Toolkit → Core
QA Contact: password.manager → toolkit
Resolution: --- → DUPLICATE
Updated•14 years ago
|
Component: Security → Password Manager
Product: Core → Toolkit
QA Contact: toolkit → password.manager
You need to log in
before you can comment on or make changes to this bug.
Description
•