Floccus: password stored in cleartext in firefox

Created on 20 May 2017  路  8Comments  路  Source: floccusaddon/floccus

The owncloud password is stored in cleartext in the Firefox profile folder. Pls store it in the Firefox password store (which can be encrypted with a master password).

bug upstream

Most helpful comment

...and it's released. Happy syncing, securely! :)

All 8 comments

Hello Jasper! I agree that this situation is not desirable. I'm leaning toward a wontfix verdict for this, though, as this is a WebExtension and I'd like to use that API exclusively to stay compatible with other browsers. Sadly, however, WebExtensions have no way to explicitly store sensitive data securely, so I'm going to bring this to the attention of Mozilla's devs and see what their advice is.

Eish, this shift by Mozilla to WebExtension is even more hopeless than I was aware. I would advise to keep the bug open for the time being, as it's definitely a bug.

I agree, keep this open for the moment, it's a pretty nasty security hole.
I noticed my password in the plaintext of the logs when floccus starts a session.

Hi,
Can we get an option to not save the password at all only cache it for the browser session duration?

That would be a nice option, indeed. I'll see what I can do to implement this.

Is there already a solution to this problem in sight?

If not, you should at least display a warning that the password is stored as plain text. On a single computer, that may be acceptable. In a multi-user environment with NFS-home it is not.

The develop branch has a first pass of an implementation that allows you to encrypt your credentials with a key, that you'll need to enter on every browser start.

...and it's released. Happy syncing, securely! :)

Was this page helpful?
0 / 5 - 0 ratings