firefox password manager sync between pc and android 8.0 reveals passwords on synced android 8.0 without ever entering master password for ffx on android device
hi just found a password manager securityleak:
firefox password manager sync between pc and android reveals passwords on synced android without ever having enteredmaster password on android device
pls try it for yourself.
more: 1. I synced all Firefox data between PC (Linux, my main device for accessing websites when I need user/pwd access with my android mobile device. on the PC i use a root password for the password manager
2. I never entered a Firefox password-manager root password on my android 8.0 device, yet on the device I am able to see the password info.
This creates a password security flaw on android devices syncing passwords with other devices without users being aware because they may presume that if you never entered a root password tot the Firefox password manager on your android it 'should' not be open to easy access..
All Replies (2)
If you sync passwords then passwords are protected on other connected devices like other passwords on that device, each with their own master password. That means that you need to set a master password on each device. The MP is never transferred to other devices, only all data send to the Sync server is encrypted locally with a Sync key before it leaves the computer. I don't know if syncing passwords is disabled to devices that aren't using a MP (I think that used to happen in the past).
thanks.
after discovering that the android device revealed ffx passwords from the synced ffx password-manager I did set a root password for the password-manager.
but before that, the synced passwords were visible on the android device with no root password ever entered to the password-manager on the android device.
so a surprising security flaw it is, in my experience.
maybe others can test this and then hopefully this is accepted as feedback to the ffx developer team.
best regards