Hello Jasper! I agree that this situation is not desirable. I'm leaning toward a wontfix verdict for this, though, as this is a WebExtension and I'd like to use that API exclusively to stay compatible with other browsers. Sadly, however, WebExtensions have no way to explicitly store sensitive data securely, so I'm going to bring this to the attention of Mozilla's devs and see what their advice is.
password stored in cleartext in firefox
The owncloud password is stored in cleartext in the Firefox profile folder. Pls store it in the Firefox password store (which can be encrypted with a master password).
- 点赞 评论 复制链接分享
- weixin_39977547 5月前
Eish, this shift by Mozilla to WebExtension is even more hopeless than I was aware. I would advise to keep the bug open for the time being, as it's definitely a bug.点赞 评论 复制链接分享
- weixin_39700397 5月前
I agree, keep this open for the moment, it's a pretty nasty security hole. I noticed my password in the plaintext of the logs when floccus starts a session.点赞 评论 复制链接分享
- weixin_39953740 5月前
Hi, Can we get an option to not save the password at all only cache it for the browser session duration?点赞 评论 复制链接分享
That would be a nice option, indeed. I'll see what I can do to implement this.点赞 评论 复制链接分享
- weixin_39562752 5月前
Is there already a solution to this problem in sight?
If not, you should at least display a warning that the password is stored as plain text. On a single computer, that may be acceptable. In a multi-user environment with NFS-home it is not.点赞 评论 复制链接分享
The develop branch has a first pass of an implementation that allows you to encrypt your credentials with a key, that you'll need to enter on every browser start.点赞 评论 复制链接分享
...and it's released. Happy syncing, securely! :)点赞 评论 复制链接分享