Firefox Sync synchronizes URL, username and password in cleartext
Opened this issue · 2 comments
System Information
- Extension Version: 2.2.6
- App Version: 2022.11.21
- Browser and Version: Firefox 108.0.1
- Client OS and Version: Windows 10
Steps to reproduce
- Setup Passwords Extension
- Log in to Firefox Sync (syncing only Add-ons and Settings)
- Inspect synced extension data (extension-storage) with Firefox Addon About Sync
Actual result
The passwords extension syncs, among other data, the server URL (baseUrl), username (user) and password (token) in cleartext.
Expected result
I would expect it to only sync the server URL and an actual token (generated access token, or whatever Nextcloud provides, instead of username and password).
My first guess would be, that this data is stored in the storage.sync area, which is getting synchronized with Firefox Sync.
From a privacy perspective, this should definitely be given a look!
This is a known issue. Firefox & Chrome provide no way of securely storing login data.
That's why you can't use your password for the extension.
Firefox & Chrome provide no way of securely storing login data.
Should it then be considered not syncing the credentials at all (and keeping it only in local storage)?
Or is this a standard approach of Firefox extensions?
That's why you can't use your password for the extension.
Well, I don't know if it used my user's nextcloud password, but it definitely synced it to firefox.
I assume that it used a password login, since I setup the extension quite a while ago.
Yesterday, I removed my account in the extension and re-added it (via PassLink).
After another check in About Sync, it was now using (and obviously syncing) an app password/token instead of the user password.