password included in export profile
Closed this issue · 5 comments
Which version of floccus are you using?
5.0.8
Sync method
Nextcloud Bookmarks
Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please.
No response
Which version of Nextcloud Bookmarks are you using? (if relevant)
No response
Which version of Nextcloud? (if relevant)
No response
What kind of WebDAV server are you using? (if relevant)
No response
Describe the Bug
When exporting a profile, the password / token gets exported as well.
Expected Behavior
Field shouldn't be exported / left empty IMHO. This would increase security if you want to put the export file in a git repository or share it between different devices.
To Reproduce
- export profile
- see “password” key
Debug log provided
- I have provided a debug log file
Hello 👋
Thank you for taking the time to open this issue with floccus. I know it's frustrating when software
causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at
and if possible solved.
I'm Marcel and I created floccus and have been maintaining it ever since.
I currently work for Nextcloud which leaves me with less time for side projects like this one
than I used to have.
I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it.
Until then, please be patient.
Note also that GitHub is a place where people meet to make software better together. Nobody here is under any obligation
to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can
collaborate to make this software better. For everyone.
Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge
and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and
try to fix the odd bug yourself. Everyone will be thankful for extra helping hands!
One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the forum,
to twitter or somewhere else. But this is a technical issue tracker, so please make sure to
focus on the tech and keep your opinions to yourself.
I look forward to working with you on this issue
Cheers 💙
Hey @j-lakeman
This is sort of by design. The whole point of the account export is to be able to quickly setup the same accounts on other devices. If you would have to re-enter the password this functionality would be a bit pointless. I understand that this is not entirely ideal security wise.
This makes me question the whole security design of this addon.
Why store the main password for the account? Shouln't just the device/session token be stored? Now if I remove a device from the Nextcloud security page it just ceates a new device/session?
@Mace404 The use of the word password and / or the word account may be ambiguous here. Let me try to clarify: When you use Nextcloud Bookmarks to sync, you login with Nextcloud as part of the sync profile setup (previously called "accounts" in floccus). Floccus doesn't store this password and doesn't have access to it. Floccus in this case receives an app password or device token instead which is also part of the export if you export a profile. If you have a profile that syncs via WebDAV for example there is no device token, so the passwords will be exported directly.
Why store the main password for the account?
This doesn't happen.
Shouln't just the device/session token be stored?
Yes that's what happens.
Now if I remove a device from the Nextcloud security page it just ceates a new device/session?
No, it will fail to authenticate.
Why store the main password for the account?
This doesn't happen.
Then why is my password in an export file? (in clear text)
Shouln't just the device/session token be stored?
Yes that's what happens.
Now if I remove a device from the Nextcloud security page it just ceates a new device/session?
No, it will fail to authenticate.
Just did and it re-added itself because of the stored password.
Now created an app password myself and entered that to have a bit more control but your description of storing just the device/session is not wat is happening in my experience.