622462 - Clicking 'Cancel' multiple times when prompted for the master password allows access to email

Status: RESOLVED DUPLICATE of bug 318697

(Thunderbird :: Security, defect)

Description

[Anthony Papillion]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7

This problem occurs in both Windows and Linux. 

When a master password is set and Thunderbird is first opened, it will prompt for the master password. If the user does not enter any password and clicks 'Cancel' multiple times, the prompt will eventually (withing 20 clicks of cancel) go away and the user will be granted access to mail just as if they had entered the proper master password.

Reproducible: Always

Steps to Reproduce:
1. Set a master password
2. Close Thunderbird
3. Open Thunderbird
4. When prompted for the master password, click 'Cancel'
5. Continue to click 'Cancel' each time you are asked for the password.
6. Eventually, you will not be asked for the password and will access mail.
Actual Results:  
I was granted access to Thunderbird even though I did not enter the master password. I was able to send and receive mail, read and post to newsgroups, and generally perform all actions I could if I had entered the password.

Expected Results:  
I should not have been granted access to Thunderbird until I entered the correct master password.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

This is expected behavior; the master password was never designed to block access to already-downloaded mail, but rather only to the saved credentials for connecting to the mail server.

(The locally stored mail is currently stored unencrypted on your hard drive, so even if the master password were to protect against launching Thunderbird, it wouldn't truly protect the mail.)