When a master password is set, it is required to be entered again before stored passwords can be accessed in the 'Saved Logins' dialog. It was found that locally stored passwords can be copied to the clipboard thorough the 'copy password' context menu item without re-entering the master password if the master password had been previously entered in the same session, allowing for potential theft of stored passwords.
Created firefox tracking bugs for this issue: Affects: fedora-all [bug 1745688]
External References: https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/
I am using 68.0.2 on F30 and I still see something I am not sure is correct. What I am seeing is: 1. Set Master password 2. Go go Gmail, enter Gmail password and add account and password to Master, when prompted. 3. Logout of Gmail and close browser. 4. Open Firefox, load Gmail and I am asked for Master before I can get to Gmail. 5. Logout of Gmail and don't close browser. 6. Log into Gmail and without prompting from entering Master password I can see and copy the existing password from Gmail. It seems like closing the browser is the gating factor. I only have Gmail added to the Master.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2694 https://access.redhat.com/errata/RHSA-2019:2694
(In reply to Bill Sanford from comment #3) > I am using 68.0.2 on F30 and I still see something I am not sure is correct. > > What I am seeing is: > > 1. Set Master password > 2. Go go Gmail, enter Gmail password and add account and password to Master, > when prompted. > 3. Logout of Gmail and close browser. > 4. Open Firefox, load Gmail and I am asked for Master before I can get to > Gmail. > 5. Logout of Gmail and don't close browser. > 6. Log into Gmail and without prompting from entering Master password I can > see and copy the existing password from Gmail. > > It seems like closing the browser is the gating factor. I only have Gmail > added to the Master. Since we don't have access to the upsstream security bug, we've move it to upstream to decide: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203
Bill, according to upstream, everything is okay: https://bugzilla.mozilla.org/show_bug.cgi?id=1580203#c1
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2729 https://access.redhat.com/errata/RHSA-2019:2729
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11733