Status

()

enhancement
P3
normal
UNCONFIRMED
6 years ago
2 months ago

People

(Reporter: mozilla, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

6 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130512194354

Steps to reproduce:

I Stored passwords in the Password Manager with a weak Masterpassword. those data were synced with my Android Tablet which had no Masterpassword (luckily it had a lock screen password).


Actual results:

Now that device got stolen and the thief could read my stored passwords (if it gets past the Lockscreen).

I tried to delete all passwords locally and sync this to the other device, but that didn't work either, cause there is another bug: https://bugzilla.mozilla.org/show_bug.cgi?id=881175


Expected results:

I would like to be able to delete the synced data and ban that stolen device from the sync process after the passwords on the device are deleted.


Instead my only chance is to change the google-account password and hope it wasn't too much of a hacker that stole the device
Reporter

Updated

6 years ago
See Also: → 881175
Reporter

Comment 1

6 years ago
In the support forum, there is suggested to change all your passwords after deleting the sync data: http://support.mozilla.org/en-US/kb/disable-firefox-sync-lost-phone-or-tablet?esab=a&s=stolen+sync+data&r=5&as=s

Which surely is the safest method, but that is no solution, if you had hundredths of (mostly quite unimportant) passwords stored.

This idea came when I thought about a solution here: http://superuser.com/questions/605638/how-do-i-ban-a-device-from-firefox-sync
If you change your Sync credentials, you'll be unable to send any commands to the device.

You could send a wipeRemote command to the other device, but there is no UI for doing so, and you are dependent on the other device syncing. This requires some expertise; if you wish to pursue this route, please ping me on irc.mozilla.org #sync.

The best solution is to use one of the existing Android remote wipe tools, in conjunction with encrypted storage and a PIN or pattern lock screen.
Severity: normal → enhancement
Component: Untriaged → Firefox Sync: Cross-client
OS: Linux → All
Product: Firefox → Mozilla Services
Hardware: x86_64 → All
See Also: 881175
Summary: Firefox Sync: possibility to delete stored Data on the other devices → Firefox Sync: remote wipe
Version: 21 Branch → unspecified
Component: Firefox Sync: Cross-client → Sync
Product: Cloud Services → Firefox

+:m_and_m, may be some interesting food-for-thought here for new password manager experiences?

Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.