Closed Bug 986637 Opened 6 years ago Closed 5 years ago

Desktop Firefox Accounts implementation stores entire credential bundle in cleartext on disk

Categories

(Firefox :: Sync, defect, P1)

29 Branch
defect

Tracking

()

VERIFIED FIXED
Firefox 34
Tracking Status
firefox-esr31 --- wontfix

People

(Reporter: Gavin, Unassigned)

References

Details

(Keywords: sec-moderate, Whiteboard: [qa+])

+++ This bug was initially created as a clone of Bug #970167 +++

In the course of reviewing Bug 967047, I noticed that FxA credentials weren't stored in Password Manager.

"Huh", I thought. "So where are they?"

The answer is "in a JSON file named signedInUser.json, in the profile directory, complete with kB and every other value associated with your account".

This seems less than ideal. There are very real problems with storing credentials in Password Manager, but…


18:38:53 < jbonacci> O_O
18:39:09 < jbonacci> that feels like a bug
18:41:37 < rfkelly> wat?
18:42:17 < rfkelly> rnewman that smells bad; please file something about it
18:50:38 < jbonacci> rfkelly crap
18:50:40 < jbonacci> he is right
18:50:44 < jbonacci> I am looking right at it


Marking this as a blocker; please triage and correct if the three of us are missing some context.

Note that this doesn't affect the separate implementation on Firefox on Android, where the OS provides isolation and some security for credentials.
Bug 970167 has mitigated this problem in the short (hopefully not too long) term by disabling password sync when a master password is set.

Finding a cross-platform way to secure the sync credentials will be tricky. We can maybe rely on system APIs for storing passwords/keys, but that requires writing at least three separate backends for it.
If we don't mind replicating the poor UX experience of the existing sync with a master-password, I imagine we could store enough of the information in the profile directory to verify we are (theoretically) logged in, and the credentials themselves in the password protected store.  This doesn't seem optimal, but worth mentioning as another option we have.
Whiteboard: [qa+]
Depends on: 1013064
Group: firefox-core-security
No longer blocks: 995268
Group: core-security
This was fixed by 1013064.
(in the case where a master password is set)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 34
+ Tracy Walker
Verified as fixed on FF 34.10b
OS: WIn 7 x64, Ubuntu 14.04 x64 the information stocked on signedInUser.json is reduced to:
{"version":1,"accountData":{"email":"useremail","uid":"b9ee.....","sessionToken":"ae8.......bd0d4dbf","verified":true}}
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.