Last Comment Bug 667327 - Data Manager Allows Passwords to Be Copied Without Input of Master Password
: Data Manager Allows Passwords to Be Copied Without Input of Master Password
Status: RESOLVED FIXED
:
Product: SeaMonkey
Classification: Client Software
Component: Passwords & Permissions (show other bugs)
: Trunk
: All All
: -- major (vote)
: seamonkey2.12
Assigned To: Edmund Wong (:ewong)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-26 13:48 PDT by David E. Ross
Modified: 2012-05-02 14:41 PDT (History)
6 users (show)
ryanvm: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
wontfix
fixed
fixed


Attachments
Require master password before allowing password to be copied. (1.97 KB, patch)
2012-04-04 00:15 PDT, Edmund Wong (:ewong)
no flags Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v2) (1.86 KB, patch)
2012-04-04 02:44 PDT, Edmund Wong (:ewong)
kairo: review+
neil: superreview-
Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v3) (1.86 KB, patch)
2012-04-06 19:51 PDT, Edmund Wong (:ewong)
no flags Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v4) (1.86 KB, patch)
2012-04-11 06:09 PDT, Edmund Wong (:ewong)
no flags Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v4) (2.07 KB, patch)
2012-04-11 06:29 PDT, Edmund Wong (:ewong)
kairo: review+
neil: superreview+
Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v5) (2.05 KB, patch)
2012-04-14 06:02 PDT, Edmund Wong (:ewong)
ewong: review+
ewong: superreview+
Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v6) (1.99 KB, patch)
2012-04-14 06:16 PDT, Edmund Wong (:ewong)
ewong: review+
ewong: superreview+
Details | Diff | Splinter Review
Require master password before allowing password to be copied. (v7) [Checkin: Comments 21 and 22] (1.99 KB, patch)
2012-04-14 06:21 PDT, Edmund Wong (:ewong)
kairo: review+
neil: superreview+
kairo: approval‑comm‑aurora+
kairo: approval‑comm‑beta+
Details | Diff | Splinter Review

Description David E. Ross 2011-06-26 13:48:14 PDT
If I have already entered my master password during a session, I can reach the Passwords tab in Data Manager.  On selecting the Show Passwords button, I have to enter my master password again to view passwords.  

When I do get the Passwords tab after only one entry of my master password, however, I can select an entry in the right-hand pane, right-click to get the pull-down context menu, and select Copy Password without again entering my master password.  I can then paste the password to an input area, text editor, or any other writable space.  

This indicates a security vulnerability for Passwords & Permissions in Data Manager because the need to input the master password to view actual passwords can be bypassed.  

Note:  Using the Password Exporter 1.2.1 extension to access passwords as implemented in SeaMonkey 2.0.14 and previous versions, I see the same problem.  Thus, this is not something new, merely something newly discovered.
Comment 1 David E. Ross 2011-06-26 13:53:23 PDT
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20110608 SeaMonkey/2.1

I reproduced this problem operating SeaMonkey in Safe Mode.
Comment 2 therube 2011-07-01 13:39:11 PDT
Don't know when or how many times a Master Password should prompt, but I can confirm the OP's findings.

Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110626 Firefox/5.0 SeaMonkey/2.2
Comment 3 David E. Ross 2011-07-01 21:44:09 PDT
Re comment #2:

I suggest the following:  

The master password should be required to see the list of domains for which logon passwords have been saved.  If the master password was already entered previously in the current session (the session ending if profiles are switched), that should suffice.  

Since a user might forget that the master password was previously entered, the master password should be required again to see passwords.  This is a safety measure.  However, having once selected "Show Passwords" and then entered the master password, the master password should not again be required during the current session of the Data Manager.  Merely viewing a different browser tab or a different Data Manager tab should not mean the end of the current session of the Data Manager.
Comment 4 bugzilla.mozilla.org 2012-02-17 16:26:59 PST
When entering into Password manager the user should be required to enter master password to either view passwords or copy passwords by right clicking & copying password.
Comment 5 David E. Ross 2012-04-02 22:33:29 PDT
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20120312 SeaMonkey/2.8

This is still a problem.  Also see bug #571997.
Comment 6 Edmund Wong (:ewong) 2012-04-04 00:15:47 PDT
Created attachment 612122 [details] [diff] [review]
Require master password before allowing password to be copied.
Comment 7 Edmund Wong (:ewong) 2012-04-04 02:44:54 PDT
Created attachment 612138 [details] [diff] [review]
Require master password before allowing password to be copied. (v2)
Comment 8 Robert Kaiser 2012-04-04 14:58:23 PDT
Comment on attachment 612138 [details] [diff] [review]
Require master password before allowing password to be copied. (v2)

Review of attachment 612138 [details] [diff] [review]:
-----------------------------------------------------------------

This basically looks good to me, thanks a lot. I'm a bit weak on how to use those services, though, so I want Neil to give it a look to see if you used this correctly.
Comment 9 Robert Kaiser 2012-04-04 15:04:47 PDT
Comment on attachment 612138 [details] [diff] [review]
Require master password before allowing password to be copied. (v2)

Oh, actually, I have one nit: File style is to not have opening braces on their own line but on the same line as try, if, catch, etc. - so please do the same here.
Comment 10 neil@parkwaycc.co.uk 2012-04-05 02:01:02 PDT
Comment on attachment 612138 [details] [diff] [review]
Require master password before allowing password to be copied. (v2)

I think it would be pointless to require the master password if the passwords have been made visible. Conveniently this is readily available via the this.showPasswords property. However if you think you can argue the case you should rerequest review.

Assuming KaiRo is going to update his extension, I also think it would be a good idea to keep the code in sync. However, this does mean having to work with older versions of Gecko in which I believe there was a bug in the master password code relating to token.needsUserInit which could be false even though the master password was blank. Our _confirmShowPasswords method works around this by simply calling token.checkPassword("") which will return true for a blank password.

I would therefore appreciate it if you only attempt to login if both of the above checks have failed. Unfortunately as you know the login function throws an exception instead of failing otherwise the code would have been written as:
if (this.showPasswords || token.checkPassword("") || token.login(true)) {
  // Copy selected signon's password to clipboard
}
Comment 11 Robert Kaiser 2012-04-05 03:36:33 PDT
(In reply to neil@parkwaycc.co.uk from comment #10)
> I think it would be pointless to require the master password if the
> passwords have been made visible. 

Thanks, I knew why I wanted to involve you there. :)
That said, in most cases, people have entered the master password when showing those, will the current code always re-prompt or only if this has been too long out?
Anyhow, the proposed improvements seem like a good idea!

> Assuming KaiRo is going to update his extension

I just posted an update with the patch from here included, but I surely will update the add-on code with any further improvements.
Comment 12 Edmund Wong (:ewong) 2012-04-06 19:51:57 PDT
Created attachment 613060 [details] [diff] [review]
Require master password before allowing password to be copied. (v3)
Comment 13 Robert Kaiser 2012-04-08 15:22:38 PDT
Comment on attachment 613060 [details] [diff] [review]
Require master password before allowing password to be copied. (v3)

Umm this is the same patch as the one before. Please request sr from Neil as well when you attach the correct patch.
Comment 14 Edmund Wong (:ewong) 2012-04-11 06:09:03 PDT
Created attachment 613963 [details] [diff] [review]
Require master password before allowing password to be copied. (v4)
Comment 15 Edmund Wong (:ewong) 2012-04-11 06:29:38 PDT
Created attachment 613970 [details] [diff] [review]
Require master password before allowing password to be copied. (v4)
Comment 16 neil@parkwaycc.co.uk 2012-04-11 06:53:43 PDT
Comment on attachment 613970 [details] [diff] [review]
Require master password before allowing password to be copied. (v4)

>+    var row = this.tree.currentIndex;
>+    var password = gPasswords.displayedSignons[row].password;
...
>-    let row = this.tree.currentIndex;
>-    let password = gPasswords.displayedSignons[row].password;
>-    gLocSvc.clipboard.copyString(password);
>+    // Prompt for the master password upfront.
>+    let token = Components.classes["@mozilla.org/security/pk11tokendb;1"]
>+                          .getService(Components.interfaces.nsIPK11TokenDB)
>+                          .getInternalKeyToken();
I'm confused. You changed these to var, and then added a let...
Better to leave these using let, this should improve the diff too.

>+    try {
>+      if (this.showPasswords || token.checkPassword(""))
>+      {
>+        this.copySelPassword();
>+      }
>+      else 
>+      {
>+        token.login(true);
>+        this.copySelPassword();
>+      }  
>+    } catch (ex) {
>+      // If user cancels an exception is expected.
>+    }
Please put the try/catch in the else block of the if. Also, you don't need the {}s around the first part of the if.
Comment 17 Edmund Wong (:ewong) 2012-04-14 06:02:40 PDT
Created attachment 615031 [details] [diff] [review]
Require master password before allowing password to be copied. (v5)

Fixed nits.
Comment 18 Edmund Wong (:ewong) 2012-04-14 06:16:26 PDT
Created attachment 615033 [details] [diff] [review]
Require master password before allowing password to be copied. (v6)

Minor changes.
Comment 19 Edmund Wong (:ewong) 2012-04-14 06:21:53 PDT
Created attachment 615036 [details] [diff] [review]
Require master password before allowing password to be copied. (v7) [Checkin: Comments 21 and 22]
Comment 20 Robert Kaiser 2012-04-26 14:57:38 PDT
Comment on attachment 615036 [details] [diff] [review]
Require master password before allowing password to be copied. (v7) [Checkin: Comments 21 and 22]

And given that this could be seen as a potential security problem, I'm approving this for aurora and beta.
Comment 21 Ryan VanderMeulen [:RyanVM] 2012-04-28 07:45:06 PDT
http://hg.mozilla.org/comm-central/rev/0338581fa753
Comment 22 Jens Hatlak (:InvisibleSmiley) 2012-05-02 14:40:45 PDT
Comment on attachment 615036 [details] [diff] [review]
Require master password before allowing password to be copied. (v7) [Checkin: Comments 21 and 22]

http://hg.mozilla.org/releases/comm-aurora/rev/9cb63cb40c87
http://hg.mozilla.org/releases/comm-beta/rev/950c8af11431

Note You need to log in before you can comment on or make changes to this bug.