search

jfitzell / mozilla-keychain

Store your Firefox website usernames and passwords in Apple's Keychain Services, just like Safari and other browsers do on OS X.
55 stars 9 forks source link

In Firefox Developer Edition you can see all passwords in plain text #75

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Install & Open Firefox Developer Edition 37.0a2 (probably all versions)
2. Open Preferences, Security Tab
3. Click on Saved Password, and then Show all passwords buttons.

What is the expected output? What do you see instead?
I can see ALL my passwords in plain text. I would expect not to see this button 
at all, like in normal Firefox. Also the message 'Passwords are managed by 
keychain extension' is missing too.

What version of the product are you using? On what operating system?
Firefox Developer Edition 37.0a2 (probably all versions), Plugin version 1.1.8 
on OS X 10.10.2 Yosemite

Please provide any additional information below.
I really think having this option defeats the purpose of this plugin, I hate 
Mozilla for this button and this is the reason I wanted to store my passwords 
in a safer place, not giving the option for a stranger who sits at my computer 
for 2 minutes to see all my passwords. If you really want to see them, you 
should reenter the master password in Keychain Access.

Thank you for your work!

Original issue reported on code.google.com by estet...@gmail.com on 6 Feb 2015 at 10:14

GoogleCodeExporter commented 9 years ago 
Hi, I've fixed this in v1.1.9.

Note, though, that all I can do is hide the button. If you grant Firefox access 
to your Keychain passwords then Firefox (or someone writing code in a console) 
can access any such passwords any time your keychain is unlocked. If you're 
concerned about that, you should consider setting your keychain to 
automatically lock after a short delay.

Also, just to let you know, Mozilla is working on a major rewrite of their 
password storage, which may improve things, though may not go as far as you 
would like: https://bugzilla.mozilla.org/show_bug.cgi?id=1121291

And unfortunately, they still don't seem to have any intention to support the 
keychain... no idea yet whether it will still be possible to hook in Keychain 
behind the scenes.

Thanks for the bug report!

Original comment by jfitz...@gmail.com on 19 Feb 2015 at 9:39