Hi team,

I found one access control issue related to stored passwords in Firefox Lockwise

POC

1 go to firefox > accounts and passwords > enable master password
2 go again to firefox > accounts and passwords

Now the master password is requested to unlock the vault > insert this

3 select any stored site > password > copy

Response: "Enter your master password"

4 click on 'show password"

Response: "Enter your master password"

5 change the password field to text (using the inspect element feature)

The password can be copied as text without any entry of master password

Thanks for the report tester. However I am unable to reproduce this. I always get asked the master password, and when I manually change the password to text field, the field actually goes blank (i.e. the password is not shown) until the master password is entered. See attached.

Which Firefox version are you using?

I have also re-categorised this bug so Lockwise folks can chime in.

Hi,

I'am using the latest version of Firefox: 72.0.2 (64 bits)

I attached one video with POC now

Thanks, I can reproduce now. I was trying on Firefox Developer Edition earlier, but I am not entirely sure if there is actually a difference in behaviour due to this.

The only thing I can think of which may make this a potential non-issue is: If an attacker/malware already has this level of access to the browser (change the DOM level elements i.e. man-in-the-browser scenario), then it is very unlikely that existing browser level protections could protect you.

I will have to defer to Lockwise folks if this makes sense or if it's indeed an issue.

This will be fixed in Firefox 73 (in Beta now).

Thanks team.

This is eligible under your bug bounty program?

Sorry. This is marked as duplicate. I don't see the message