passman-webextension icon indicating copy to clipboard operation
passman-webextension copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

[SECURITY] Master Password does not work until browser restart

Open shinenelson opened this issue 4 years ago • 0 comments

Steps to reproduce

  1. Install the Extension
  2. Login to Passman vault
  3. Set a Master Password ( do NOT remember it locally; what's the point of a password manager if the master key is stored unencrypted on the local file system? ) -> Do NOT restart the browser
  4. Click the lock icon to lock the extension
  5. Click 'Unlock' button
  6. Search for saved password from vault

Expected behaviour

The extension should report an error ( #320 ) and not unlock the vault.

Actual behaviour

Due to #320 and probably because the password vault was just unsealed during setup, it is still accessible. And unlike in #320, the extension is active and triggered on website form fields. However, they don't autofill into the form fields, unlike when in properly unsealed mode, the fields are automatically filled in. All passwords is directly accessible and viewable ( at least ) from the extension though.

Screenshots

Search in locked state Screenshot from 2020-03-24 05-09-42

Triggering on websites Screenshot_2020-03-24 Client Area

Configuration

Operating system: Ubuntu 18.04.4 LTS

Browser: Firefox 75.0

Extensions that might cause interference: Nextcloud Passwords, LessPass

Passman version: 2.3.5

Extension version: 2.1.1

Nextcloud version: 18.0.0

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

shinenelson avatar Mar 24 '20 00:03 shinenelson