+++ This bug was initially created as a clone of Bug #970167 +++ In the course of reviewing Bug 967047, I noticed that FxA credentials weren't stored in Password Manager. "Huh", I thought. "So where are they?" The answer is "in a JSON file named signedInUser.json, in the profile directory, complete with kB and every other value associated with your account". This seems less than ideal. There are very real problems with storing credentials in Password Manager, but… 18:38:53 < jbonacci> O_O 18:39:09 < jbonacci> that feels like a bug 18:41:37 < rfkelly> wat? 18:42:17 < rfkelly> rnewman that smells bad; please file something about it 18:50:38 < jbonacci> rfkelly crap 18:50:40 < jbonacci> he is right 18:50:44 < jbonacci> I am looking right at it Marking this as a blocker; please triage and correct if the three of us are missing some context. Note that this doesn't affect the separate implementation on Firefox on Android, where the OS provides isolation and some security for credentials.

Bug 970167 has mitigated this problem in the short (hopefully not too long) term by disabling password sync when a master password is set. Finding a cross-platform way to secure the sync credentials will be tricky. We can maybe rely on system APIs for storing passwords/keys, but that requires writing at least three separate backends for it.

If we don't mind replicating the poor UX experience of the existing sync with a master-password, I imagine we could store enough of the information in the profile directory to verify we are (theoretically) logged in, and the credentials themselves in the password protected store. This doesn't seem optimal, but worth mentioning as another option we have.

This was fixed by 1013064.

(in the case where a master password is set)

+ Tracy Walker

Verified as fixed on FF 34.10b OS: WIn 7 x64, Ubuntu 14.04 x64 the information stocked on signedInUser.json is reduced to: {"version":1,"accountData":{"email":"useremail","uid":"b9ee.....","sessionToken":"ae8.......bd0d4dbf","verified":true}}