passman-webextension
passman-webextension copied to clipboard
[SECURITY] Master Password does not work until browser restart
Steps to reproduce
- Install the Extension
- Login to Passman vault
- Set a Master Password ( do NOT remember it locally; what's the point of a password manager if the master key is stored unencrypted on the local file system? ) -> Do NOT restart the browser
- Click the lock icon to lock the extension
- Click 'Unlock' button
- Search for saved password from vault
Expected behaviour
The extension should report an error ( #320 ) and not unlock the vault.
Actual behaviour
Due to #320 and probably because the password vault was just unsealed during setup, it is still accessible. And unlike in #320, the extension is active and triggered on website form fields. However, they don't autofill into the form fields, unlike when in properly unsealed mode, the fields are automatically filled in. All passwords is directly accessible and viewable ( at least ) from the extension though.
Screenshots
Search in locked state
Triggering on websites
Configuration
Operating system: Ubuntu 18.04.4 LTS
Browser: Firefox 75.0
Extensions that might cause interference: Nextcloud Passwords, LessPass
Passman version: 2.3.5
Extension version: 2.1.1
Nextcloud version: 18.0.0
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.