search

marius-wieschollek / passwords-webextension

The official browser extension for the Passwords app for Nextcloud.
GNU General Public License v3.0
103 stars 31 forks source link

Firefox Sync synchronizes URL, username and password in cleartext #248

Open KlepD-SAL opened 1 year ago

KlepD-SAL commented 1 year ago

System Information

Steps to reproduce

  1. Setup Passwords Extension
  2. Log in to Firefox Sync (syncing only Add-ons and Settings)
  3. Inspect synced extension data (extension-storage) with Firefox Addon About Sync

Actual result

The passwords extension syncs, among other data, the server URL (baseUrl), username (user) and password (token) in cleartext.

Expected result

I would expect it to only sync the server URL and an actual token (generated access token, or whatever Nextcloud provides, instead of username and password).

My first guess would be, that this data is stored in the storage.sync area, which is getting synchronized with Firefox Sync.

From a privacy perspective, this should definitely be given a look!

marius-wieschollek commented 1 year ago

This is a known issue. Firefox & Chrome provide no way of securely storing login data. That's why you can't use your password for the extension.

KlepD-SAL commented 1 year ago

Firefox & Chrome provide no way of securely storing login data.

Should it then be considered not syncing the credentials at all (and keeping it only in local storage)? Or is this a standard approach of Firefox extensions?

That's why you can't use your password for the extension.

Well, I don't know if it used my user's nextcloud password, but it definitely synced it to firefox. I assume that it used a password login, since I setup the extension quite a while ago.

Yesterday, I removed my account in the extension and re-added it (via PassLink). After another check in About Sync, it was now using (and obviously syncing) an app password/token instead of the user password.