Closed
Bug 986637
Opened 11 years ago
Closed 10 years ago
Desktop Firefox Accounts implementation stores entire credential bundle in cleartext on disk
Categories
(Firefox :: Sync, defect, P1)
Tracking
()
VERIFIED
FIXED
Firefox 34
Tracking | Status | |
---|---|---|
firefox-esr31 | --- | wontfix |
People
(Reporter: Gavin, Unassigned)
References
Details
(Keywords: sec-moderate, Whiteboard: [qa+])
+++ This bug was initially created as a clone of Bug #970167 +++
In the course of reviewing Bug 967047, I noticed that FxA credentials weren't stored in Password Manager.
"Huh", I thought. "So where are they?"
The answer is "in a JSON file named signedInUser.json, in the profile directory, complete with kB and every other value associated with your account".
This seems less than ideal. There are very real problems with storing credentials in Password Manager, but…
18:38:53 < jbonacci> O_O
18:39:09 < jbonacci> that feels like a bug
18:41:37 < rfkelly> wat?
18:42:17 < rfkelly> rnewman that smells bad; please file something about it
18:50:38 < jbonacci> rfkelly crap
18:50:40 < jbonacci> he is right
18:50:44 < jbonacci> I am looking right at it
Marking this as a blocker; please triage and correct if the three of us are missing some context.
Note that this doesn't affect the separate implementation on Firefox on Android, where the OS provides isolation and some security for credentials.
Reporter | ||
Comment 1•11 years ago
|
||
Bug 970167 has mitigated this problem in the short (hopefully not too long) term by disabling password sync when a master password is set.
Finding a cross-platform way to secure the sync credentials will be tricky. We can maybe rely on system APIs for storing passwords/keys, but that requires writing at least three separate backends for it.
Comment 2•11 years ago
|
||
If we don't mind replicating the poor UX experience of the existing sync with a master-password, I imagine we could store enough of the information in the profile directory to verify we are (theoretically) logged in, and the credentials themselves in the password protected store. This doesn't seem optimal, but worth mentioning as another option we have.
Updated•10 years ago
|
Whiteboard: [qa+]
Updated•10 years ago
|
Group: firefox-core-security
Reporter | ||
Updated•10 years ago
|
Group: core-security
Comment 3•10 years ago
|
||
This was fixed by 1013064.
Reporter | ||
Comment 4•10 years ago
|
||
(in the case where a master password is set)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 34
Comment 5•10 years ago
|
||
+ Tracy Walker
Updated•10 years ago
|
status-firefox-esr31:
--- → wontfix
Comment 6•10 years ago
|
||
Verified as fixed on FF 34.10b
OS: WIn 7 x64, Ubuntu 14.04 x64 the information stocked on signedInUser.json is reduced to:
{"version":1,"accountData":{"email":"useremail","uid":"b9ee.....","sessionToken":"ae8.......bd0d4dbf","verified":true}}
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•