Bug 1745687 (CVE-2019-11733) - CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied without master password entry
Summary: CVE-2019-11733 firefox: stored passwords in 'Saved Logins' can be copied with...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11733
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1745688 1745828 1745829 1745831
Blocks: 1745825
TreeView+ depends on / blocked
 
Reported: 2019-08-26 16:07 UTC by msiddiqu
Modified: 2021-02-26 08:04 UTC (History)
15 users (show)

Fixed In Version: Firefox 68.0.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-12 12:46:06 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2694 0 None None None 2019-09-10 09:12:53 UTC
Red Hat Product Errata RHSA-2019:2729 0 None None None 2019-09-11 09:56:56 UTC

Description msiddiqu 2019-08-26 16:07:57 UTC
When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.

Comment 1 msiddiqu 2019-08-26 16:08:17 UTC
Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 1745688]

Comment 2 msiddiqu 2019-08-26 16:09:31 UTC
External References:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/

Comment 3 Bill Sanford 2019-09-05 16:41:05 UTC
I am using 68.0.2 on F30 and I still see something I am not sure is correct.

What I am seeing is:

1. Set Master password
2. Go go Gmail, enter Gmail password and add account and password to Master, when prompted.
3. Logout of Gmail and close browser.
4. Open Firefox, load Gmail and I am asked for Master before I can get to Gmail.
5. Logout of Gmail and don't close browser.
6. Log into Gmail and without prompting from entering Master password I can see and copy the existing password from Gmail.

It seems like closing the browser is the gating factor. I only have Gmail added to the Master.

Comment 4 errata-xmlrpc 2019-09-10 09:12:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2694 https://access.redhat.com/errata/RHSA-2019:2694

Comment 6 Jan Horak 2019-09-10 13:52:26 UTC
(In reply to Bill Sanford from comment #3)
> I am using 68.0.2 on F30 and I still see something I am not sure is correct.
> 
> What I am seeing is:
> 
> 1. Set Master password
> 2. Go go Gmail, enter Gmail password and add account and password to Master,
> when prompted.
> 3. Logout of Gmail and close browser.
> 4. Open Firefox, load Gmail and I am asked for Master before I can get to
> Gmail.
> 5. Logout of Gmail and don't close browser.
> 6. Log into Gmail and without prompting from entering Master password I can
> see and copy the existing password from Gmail.
> 
> It seems like closing the browser is the gating factor. I only have Gmail
> added to the Master.
Since we don't have access to the upsstream security bug, we've move it to upstream to decide: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203

Comment 7 Jan Horak 2019-09-11 06:32:41 UTC
Bill, according to upstream, everything is okay: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203#c1

Comment 8 errata-xmlrpc 2019-09-11 09:56:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2729 https://access.redhat.com/errata/RHSA-2019:2729

Comment 9 Product Security DevOps Team 2019-09-12 12:46:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11733


Note You need to log in before you can comment on or make changes to this bug.