Closed Bug 600881 Opened 14 years ago Closed 14 years ago

Able to copy password from password manager without entering master password

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 571997
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: david, Unassigned)

Details

(Keywords: privacy, regression, Whiteboard: [sg:low local password loss]) 

User-Agent:       Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b7pre) Gecko/20100930 Firefox/4.0b7pre
Build Identifier: 4.0b7pre

I have passwords stored. If you enter the master password key once, you get into the password manager. You can then right-click on any password and Copy Password, and it copies the password out. However the "Show Passwords" button requires further confirmation by entering the master password again. I would think that both of these operations should require the master password, or neither.

Reproducible: Always

Steps to Reproduce:
1. Open password manager and type in master password
2. Right-click on password key, and select "Copy Password"
3. Password can be pasted anywhere
Actual Results:  
Password is copied to clipboard in the clear

Expected Results:  
Prompted for master password again like "Show Passwords" button requires, or not copied password

I don't think it's a critical security error as just entering the dialog still requires a master password, but I'm erring on the side of caution in selecting the Security box
Confirming. New feature in FF4 (bug 566910) so older branches unaffected.

The behavior is inconsistent and broken, but maybe in practice not much worse than the current (FF 3.6) dialog:
 * if passwords hadn't been used (attacker launches Firefox from the
   desktop?) then you have to know the master password (no exploit here)
 * if the victim had already used the MPw once that session the local
   snooper can open the password list.
   a. see interesting site in the list
   b. open the site (password is filled for you)
   c. use javascript: or inspector to get the value of the password

This new FF4 behavior makes the problem so easy anyone can do it, whereas figuring out steps b and c may have protected you from the average person (but not from anyone marginally competent with web technology).

We have other bugs on the fact that the sites and user names alone are valuable information. Perhaps we can solve both problems by moving the Master Password requirement from the "Show Passwords" button to opening the "Saved Passwords" dialog at all (whether the Master Password had been previously used in that session or not).

Benefits:
1. "Copy Password" is as protected as "Show Passwords"
2. user name and site info is also protected
Assignee: nobody → dolske
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Ever confirmed: true
Keywords: privacy
Whiteboard: [sg:low local password loss]
Blocks: 566910
Keywords: regression
This is actually a dupe of bug 571997. Don't know if duping it has security implications.
OS: Windows 7 → All
Hardware: x86 → All
Version: unspecified → Trunk
Since you've already entered your master password, I don't think this needs to block.
blocking2.0: ? → -
Component: Security → Password Manager
Product: Core → Toolkit
QA Contact: toolkit → password.manager
Assignee: dolske → nobody
No longer blocks: 566910
Group: core-security
Status: NEW → RESOLVED
blocking2.0: - → ---
Closed: 14 years ago
Component: Password Manager → Security
Product: Toolkit → Core
QA Contact: password.manager → toolkit
Resolution: --- → DUPLICATE
Component: Security → Password Manager
Product: Core → Toolkit
QA Contact: toolkit → password.manager
You need to log in before you can comment on or make changes to this bug.