weixin_39977547
weixin_39977547
2020-11-29 05:05

password stored in cleartext in firefox

The owncloud password is stored in cleartext in the Firefox profile folder. Pls store it in the Firefox password store (which can be encrypted with a master password).

该提问来源于开源项目:marcelklehr/floccus

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

8条回答

  • weixin_39522408 weixin_39522408 5月前

    Hello Jasper! I agree that this situation is not desirable. I'm leaning toward a wontfix verdict for this, though, as this is a WebExtension and I'd like to use that API exclusively to stay compatible with other browsers. Sadly, however, WebExtensions have no way to explicitly store sensitive data securely, so I'm going to bring this to the attention of Mozilla's devs and see what their advice is.

    点赞 评论 复制链接分享
  • weixin_39977547 weixin_39977547 5月前

    Eish, this shift by Mozilla to WebExtension is even more hopeless than I was aware. I would advise to keep the bug open for the time being, as it's definitely a bug.

    点赞 评论 复制链接分享
  • weixin_39700397 weixin_39700397 5月前

    I agree, keep this open for the moment, it's a pretty nasty security hole. I noticed my password in the plaintext of the logs when floccus starts a session.

    点赞 评论 复制链接分享
  • weixin_39953740 weixin_39953740 5月前

    Hi, Can we get an option to not save the password at all only cache it for the browser session duration?

    点赞 评论 复制链接分享
  • weixin_39522408 weixin_39522408 5月前

    That would be a nice option, indeed. I'll see what I can do to implement this.

    点赞 评论 复制链接分享
  • weixin_39562752 weixin_39562752 5月前

    Is there already a solution to this problem in sight?

    If not, you should at least display a warning that the password is stored as plain text. On a single computer, that may be acceptable. In a multi-user environment with NFS-home it is not.

    点赞 评论 复制链接分享
  • weixin_39522408 weixin_39522408 5月前

    The develop branch has a first pass of an implementation that allows you to encrypt your credentials with a key, that you'll need to enter on every browser start.

    点赞 评论 复制链接分享
  • weixin_39522408 weixin_39522408 5月前

    ...and it's released. Happy syncing, securely! :)

    点赞 评论 复制链接分享