Open KlepD-SAL opened 1 year ago
This is a known issue. Firefox & Chrome provide no way of securely storing login data. That's why you can't use your password for the extension.
Firefox & Chrome provide no way of securely storing login data.
Should it then be considered not syncing the credentials at all (and keeping it only in local storage)? Or is this a standard approach of Firefox extensions?
That's why you can't use your password for the extension.
Well, I don't know if it used my user's nextcloud password, but it definitely synced it to firefox. I assume that it used a password login, since I setup the extension quite a while ago.
Yesterday, I removed my account in the extension and re-added it (via PassLink). After another check in About Sync, it was now using (and obviously syncing) an app password/token instead of the user password.
System Information
Steps to reproduce
Actual result
The passwords extension syncs, among other data, the server URL (baseUrl), username (user) and password (token) in cleartext.
Expected result
I would expect it to only sync the server URL and an actual token (generated access token, or whatever Nextcloud provides, instead of username and password).
My first guess would be, that this data is stored in the
storage.sync
area, which is getting synchronized with Firefox Sync.From a privacy perspective, this should definitely be given a look!