Extension bypasses master password #55
Comments
|
I just gave it a try and the master password was requested. I think the master password prompt doesn't show up every single time a password is accessed; it has a short time interval during which the passwords are "unlocked". |
|
Not when you want to display them in plaintext, like this extension does. Then the master password is always requested. I wasn't prompted at all during the export.
Just tested it in |
|
As far as I can tell, this isn't a bug in the add-on, since it uses the Login Manager API, which is the one that decides when to prompt for the Master Password. If there's a bug, it's possibly on the Firefox side. Closing since I don't think there's anything that can be done in the add-on side. |
|
Thanks, issue created at Bugzilla |
That's incorrect. When displaying passwords in plaintext to users (like exporting does) the consumer should be prompting for the master password as additional security. That's how the password manager UI works, the prompt before revealing isn't implemented by the loginmanager code itself, it's the UI which prompts. See https://dxr.mozilla.org/mozilla-central/rev/88bebcaca249aeaca9197382e89d35b02be8292e/toolkit/components/passwordmgr/content/passwordManager.js#494 |
|
Thanks for the info, I'll look into it. |
Having a master password set, the export process doesn't require it to access the saved data.
Firefox 46.0b2
Debian stretch
I'd say this is a Firefox security issue, not a bug in the extension, but I'd prefer to confirm with you before reporting there.
The text was updated successfully, but these errors were encountered: