search

fligtar / password-exporter

a Firefox add-on that exports and imports saved passwords
https://addons.mozilla.org/addon/2848
83 stars 27 forks source link

Extension bypasses master password #55

Open ghost opened 8 years ago

ghost commented 8 years ago

Having a master password set, the export process doesn't require it to access the saved data.

Firefox 46.0b2 Debian stretch

I'd say this is a Firefox security issue, not a bug in the extension, but I'd prefer to confirm with you before reporting there.

jvillalobos commented 8 years ago

I just gave it a try and the master password was requested. I think the master password prompt doesn't show up every single time a password is accessed; it has a short time interval during which the passwords are "unlocked".

ghost commented 8 years ago

Not when you want to display them in plaintext, like this extension does. Then the master password is always requested.

I wasn't prompted at all during the export.

a short time interval

Just tested it in Preferences -> Security -> Saved Logins.... I was prompted every time I copied a password, the master password didn't remain unlocked.

jvillalobos commented 8 years ago

As far as I can tell, this isn't a bug in the add-on, since it uses the Login Manager API, which is the one that decides when to prompt for the Master Password. If there's a bug, it's possibly on the Firefox side. Closing since I don't think there's anything that can be done in the add-on side.

ghost commented 8 years ago

Thanks, issue created at Bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=1284343

mnoorenberghe commented 8 years ago

As far as I can tell, this isn't a bug in the add-on, since it uses the Login Manager API, which is the one that decides when to prompt for the Master Password. If there's a bug, it's possibly on the Firefox side. Closing since I don't think there's anything that can be done in the add-on side.

That's incorrect. When displaying passwords in plaintext to users (like exporting does) the consumer should be prompting for the master password as additional security. That's how the password manager UI works, the prompt before revealing isn't implemented by the loginmanager code itself, it's the UI which prompts. See https://dxr.mozilla.org/mozilla-central/rev/88bebcaca249aeaca9197382e89d35b02be8292e/toolkit/components/passwordmgr/content/passwordManager.js#494

jvillalobos commented 8 years ago

Thanks for the info, I'll look into it.