search

nextcloud / passman-webextension

Webextension for the Passman Nextcloud app. Also offers browser extension & Android app.
https://passman.cc
GNU Affero General Public License v3.0
115 stars 43 forks source link

Firefox extension security issue #312

Open Titi-nux opened 4 years ago

Titi-nux commented 4 years ago

Good morning all,

I just discovered, but maybe this is already known:,

When the Passman extension is installed on Firefox.

If 2-step authentication is enabled for your Nextcloud account.

If your safe is unlocked on the extension.

By refreshing your homepage with the address:

https: // your_cloud / apps / files /

The connection to the nexcloud account is then done automatically using the password of the application defined in the 2-step authentication settings.

And besides passes authentication in 2 steps.

Steps to reproduce

  1. Go to the address https: // your_cloud / apps / files /

  2. Unlock your Firefox Passman extesion

  3. Refresh the page: https: // your_cloud / apps / files /

  4. You are connected

Passman version: 2.3.4

Extension version: 2.11

Web Browser Firefox

Nextcloud version: 17.0.1

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/83722250-firefox-extension-security-issue?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github).
PocketFR commented 4 years ago

Same here : Passman version : 2.3.4 Extension version : 2.1.1 Firefox version : 71.0 nextcloud version : 16.0.6

No problem with Vivaldi browser 2.9.1705.41, extension version 2.1.2