[GH-ISSUE #159] Need to protect the server password #149

New issue

Closed

opened 2026-02-25 22:36:17 +03:00 by kerem · 14 comments

kerem commented 2026-02-25 22:36:17 +03:00

Owner

Copy link

Originally created by @nachoparker on GitHub (Aug 30, 2018).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/159

Hello,

First, thank you for your hard work in this addon. I have been using it for a few days and it is really nice!!

The only bad thing I see about it is sadly a serious one. I downloaded the debug log and to my surprise there it was, my server's password.

A simple grep -r mypass in the ~/.mozilla folder showed me that any agent that manages read access to this folder will immediately gain access to my private cloud where I store all my sensitive private information.

What would be the best way to grant access without storing the password in plain text? Maybe the user could be required to generate a random tokens to decrypt the password that then would only be unencrypted in memory before being sent through HTTPS.

Thoughts?

Originally created by @nachoparker on GitHub (Aug 30, 2018). Original GitHub issue: https://github.com/floccusaddon/floccus/issues/159 Hello, First, thank you for your hard work in this addon. I have been using it for a few days and it is really nice!! The only bad thing I see about it is sadly a serious one. I downloaded the debug log and to my surprise there it was, my server's password. A simple `grep -r mypass` in the `~/.mozilla` folder showed me that any agent that manages read access to this folder will immediately gain access to my private cloud where I store all my sensitive private information. What would be the best way to grant access without storing the password in plain text? Maybe the user could be required to generate a random tokens to decrypt the password that then would only be unencrypted in memory before being sent through HTTPS. Thoughts?

kerem 2026-02-25 22:36:17 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Aug 30, 2018):

Hey nacho! Thanks for your kind words :)
The password leakage you mention is actually a regression, as the passwords are persisted in an encrypted fashion if you set a n extension passphrase, but the logging mechanism doesn't care about that, yet. I'll get on it :)

<!-- gh-comment-id:417364613 --> @marcelklehr commented on GitHub (Aug 30, 2018): Hey nacho! Thanks for your kind words :) The password leakage you mention is actually a regression, as the passwords are persisted in an encrypted fashion if you set a n extension passphrase, but the logging mechanism doesn't care about that, yet. I'll get on it :)

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Aug 31, 2018):

Thank you! that was fast!

my password is still in cleartext in firefox/w24O4c.default/browser-extension-data/floccus@handmadeideas.org/storage.js, I think it should be somehow encrypted. Agree?

<!-- gh-comment-id:417549885 --> @nachoparker commented on GitHub (Aug 31, 2018): Thank you! that was fast! my password is still in cleartext in `firefox/w24O4c.default/browser-extension-data/floccus@handmadeideas.org/storage.js`, I think it should be somehow encrypted. Agree?

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Aug 31, 2018):

Have you set a passphrase (Tick "secure your credentials") and restarted your browser? I think, that file is only written when you close the browser.

<!-- gh-comment-id:417612942 --> @marcelklehr commented on GitHub (Aug 31, 2018): Have you set a passphrase (Tick "secure your credentials") and restarted your browser? I think, that file is only written when you close the browser.

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Aug 31, 2018):

I have, but the password is still there

<!-- gh-comment-id:417652816 --> @nachoparker commented on GitHub (Aug 31, 2018): I have, but the password is still there

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Aug 31, 2018):

Fooo. That's tough. Which adapter? Which firefox version?

<!-- gh-comment-id:417665660 --> @marcelklehr commented on GitHub (Aug 31, 2018): Fooo. That's tough. Which adapter? Which firefox version?

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Sep 1, 2018):

firefox 61.0.2

adapter? what is an adapter?

<!-- gh-comment-id:417817699 --> @nachoparker commented on GitHub (Sep 1, 2018): firefox 61.0.2 adapter? what is an adapter?

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Sep 1, 2018):

Sorry. Which backend are you using? XBEL/WebDAV or Nextcloud Bookmarks? :)

<!-- gh-comment-id:417817957 --> @marcelklehr commented on GitHub (Sep 1, 2018): Sorry. Which backend are you using? XBEL/WebDAV or Nextcloud Bookmarks? :)

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Sep 1, 2018):

aah :D

NC bookmarks

<!-- gh-comment-id:417818007 --> @nachoparker commented on GitHub (Sep 1, 2018): aah :D NC bookmarks

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Sep 1, 2018):

Which floccus version?

<!-- gh-comment-id:417818292 --> @marcelklehr commented on GitHub (Sep 1, 2018): Which floccus version?

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Sep 1, 2018):

floccus 3.0.6

<!-- gh-comment-id:417876644 --> @nachoparker commented on GitHub (Sep 1, 2018): floccus 3.0.6

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Sep 2, 2018):

Aah, now I get it. The logs are not cleared, of course, so the existing log data that still contain the password are of course still there. You can uninstall and reinstall the extension to fix that. (You really had my questioning myself there :D)

EDIT: By deafult, the log rotates with a cycle of 2500 entries, so after a while your password will rotate out of the file ;)

<!-- gh-comment-id:417933634 --> @marcelklehr commented on GitHub (Sep 2, 2018): Aah, now I get it. The logs are not cleared, of course, so the existing log data that still contain the password are of course still there. You can uninstall and reinstall the extension to fix that. (You really had my questioning myself there :D) EDIT: By deafult, the log rotates with a cycle of 2500 entries, so after a while your password will rotate out of the file ;)

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@nachoparker commented on GitHub (Sep 2, 2018):

I don't know when it happened, but the password is now encrypted in storage.js. This file doesn't seem to be logs (which I deleted), but the user configuration. In any case seems to be solved.

I suggest you make password protection mandatory, non optional in order to protect your users. We all know that most people will not protect their passwords otherwise.

Many thanks for the help!

<!-- gh-comment-id:417934345 --> @nachoparker commented on GitHub (Sep 2, 2018): I don't know when it happened, but the password is now encrypted in `storage.js`. This file doesn't seem to be logs (which I deleted), but the user configuration. In any case seems to be solved. I suggest you make password protection mandatory, non optional in order to protect your users. We all know that most people will not protect their passwords otherwise. Many thanks for the help!

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@marcelklehr commented on GitHub (Sep 2, 2018):

I suggest you make password protection mandatory, non optional in order to protect your users. We all know that most people will not protect their passwords otherwise.

Good idea! :)

<!-- gh-comment-id:417935379 --> @marcelklehr commented on GitHub (Sep 2, 2018): > I suggest you make password protection mandatory, non optional in order to protect your users. We all know that most people will not protect their passwords otherwise. Good idea! :)

kerem commented 2026-02-25 22:36:18 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 21, 2023):

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

<!-- gh-comment-id:1477739055 --> @github-actions[bot] commented on GitHub (Mar 21, 2023): This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/fast-xml-parser-5.7.0

dependabot/npm_and_yarn/xmldom/xmldom-0.8.13

dependabot/npm_and_yarn/protocol-buffers-schema-3.6.1

master

fix/xml-entity-limit

all-contributors/add-aaryanvangari

fix/subscanner-residuals

test/subscanner-residuals

test/problematic-seeds

perf/improve-build-time

perf/native-startup

fix/continuation-null-cheks

dropbox

fix/clear-indexeddb-after-sync

dependabot/npm_and_yarn/vuetify-3.11.4

fix/slim-down-continuation

test/background-worker

refactor/fail-build-if-native-uses-browser-api

feat/improve-failsafe-wording

dependabot/npm_and_yarn/multi-0520f5abeb

feat/release-build

fix/more-mapping-errors

dependabot/npm_and_yarn/intl-messageformat-10.7.18

enh/split-sync-interval-and-auto-sync

enh/gdrive-timeout

feat/safari

feat/capabilities

feat/xxhash3

feat/murmur3

fix/gdrive-error-handling

fix/correctness-fixes

fix/linkwarden

feat/orion

fix/nocache-tests

feat/tab-groups

fix/git-never-force-push

fix/xbel-parse-errors

fix/git-push-errors

fix/chrome-main-folder-ids

dependabot/npm_and_yarn/multi-a9f852c250

chore/use-local-linkwarden-container-in-ci

all-contributors/add-balthanon

dependabot/npm_and_yarn/multi-7c5da94753

fix/revert-indexeddb-logger

fix/acknowlegde-abuse

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.10

fix/rip-out-continuations

fix/webdav-filesize-depth-header

fix/changes-while-syncing

fix/addition-failsafe-minimum

feat/indexeddb-logs

feat/addition-failsafe

fix/webdav-check-filesize

fix/orion

fix/bounded-exponential-backoff

fix/dont-repeat-on-sync-fail

fix-tests

fix/speedup-tab-update-cb

all-contributors/add-andybalaam

all-contributors/add-macrogreg

fix/parse-tag-value

fix/cleanup-deps

refactor/partial-set-data-with-lock

fix/nc-bookmarks-update

fix/move-stabiltiy-same-titled-folders

fix/ios-share-extension

fix/update-selenium

fix/chrome-net-errors

enh/nc-bm-js

sentry

fix/unidirectional-scanner-shoudl-use-mappings

enh/interrupts

dependabot/npm_and_yarn/vue-loader-17.4.2

ci/build-ios

enh/manifest-v3

release/4.19.0

fix/codeql

fix/google-drive-ios

all-contributors/add-dmotte

fix/unidirectional-sync

fix/interrupts

all-contributors/add-pinpontitit

all-contributors/add-dsiminiuk

test/old-apis

test/interrupts-on-nextcloud-bookmarks

feature/no-hashing-in-diff

feature/improve-diff-performance

capacitor

enh/rename-nextcloud-folders

fix/complex-hierarchy-reversal-2

tests/coverage

feature/google-drive

dependabot/npm_and_yarn/eslint-plugin-vue-7.6.0

fix/crypto

dependabot/npm_and_yarn/sass-1.32.7

dependabot/npm_and_yarn/css-loader-5.0.2

dependabot/npm_and_yarn/webpack-cli-4.5.0

fix/performance-hash-caching

dependabot/npm_and_yarn/eslint-plugin-standard-5.0.0

dependabot/npm_and_yarn/sass-loader-10.1.1

dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.0

dependabot/npm_and_yarn/webpack-merge-5.7.3

dependabot/npm_and_yarn/p-queue-6.6.2

dependabot/npm_and_yarn/throttle-debounce-3.0.1

fix/lww-move-test

fix/overwrite-strategy

fix/root-folder-sync

enh/local-hash-cash

test/ci

ui/vue

cookie-hack

fix/travis

rollup

refactor/ui

webdav

refactor/modularize

v5.9.1

v5.9.0

v5.8.6

v5.8.5

v5.8.4

v5.8.3

v5.8.2

v5.8.1

v5.8.0

v5.7.0

v5.6.0

v5.5.6

v5.5.5

v5.5.4

v5.5.3

v5.5.2

v5.5.1

v5.5.0

v5.4.5

v5.4.4

v5.4.3

v5.4.2

v5.4.2-alpha.1

v5.4.1

v5.4.0

v5.3.4

v5.3.3

v5.3.1

v5.3.0

v5.3.0-beta.1

v5.2.7

v5.2.6

v5.2.5

v5.2.4

v5.2.3

v5.2.2

v5.2.1

v5.2.0

v5.2.0-beta.3

v5.2.0-beta.2

v5.2.0-beta.1

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

5.1.3-beta.1

v5.1.2

v5.1.1

v5.1.0

v5.0.12

v5.0.12-beta.1

v5.0.11

v5.0.10

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.19.1

v4.19.0

v4.18.1

v4.18.0

v4.17.1

v4.17.0

v4.16.0

v4.15.0

v4.14.0

v4.13.1

v4.13.0

v4.12.0

v4.11.0

v4.11.0-alpha.0

v4.10.1

v4.10.0

v4.9.0

v4.8.7

v4.8.6

v4.8.4

v4.8.3

v4.8.2

v4.8.1

v4.8.0

v4.7.0

v4.6.4

v4.6.3

v4.6.2

v4.6.1

v4.6.0

v4.5.0

v4.4.10

v4.4.9

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.4.0-rc1

v4.3.0

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.2.0-beta.4

v4.2.0-beta.3

v4.2.0-beta.2

v4.2.0-beta.1

v4.1.0

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v4

v4.0.0-alpha.3

v4.0.0-alpha.2

v4.0.0-alpha.1

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.2

v3.4.1

v3.4.0

v3.4.0-beta.3

v3.4.0-beta.2

v3.4.0-beta.1

v3.3.2

v3.3.1

v3.3.0

v3.3.0-beta.5

v3.3.0-beta.4

v3.3.0-beta.3

v3.3.0-beta.2

v3.3.0-beta.1

v3.2.16

v3.2.15

v3.2.14

v3.2.13

v3.2.12

v3.2.11

v3.2.10

v3.2.9

v3.2.8

v3.2.7

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.15

v3.1.14

v3.1.13

v3.1.12

v3.1.11

v3.1.10

v3.1.9

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.10

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v3.0.0-beta.9

v3.0.0-beta.8

v3.0.0-beta.7

v2.2.9

v3.0.0-beta.6

v3.0.0-beta.5

v3.0.0-beta.4

v3.0.0-beta.3

v3.0.0-beta.2

v3.0.0-beta-1

v3.0.0-alpha-1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0.0-beta.2

v1.3.4

v2.0.0-beta.1

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.3.0-beta.5

v1.3.0-beta.4

v1.3.0-beta.3

v1.3.0-beta.2

v1.3.0-beta1

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

Labels

Clear labels   

browser-specific

  

bug

  

correctness issues

  

enhancement

  

feature: Google Drive

  

feature: Linkwarden

  

feature: git

  

feature: nextcloud-bookmarks

  

feature: tabs

  

feature: webdav

  

help wanted

  

native-app

  

priority: high

  

priority: low

  

priority: medium

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

stale

  

upstream

  

waiting for more information

  

wontfix

  

🙁 Not following issue template

No labels

browser-specific

bug

correctness issues

enhancement

feature: Google Drive

feature: Linkwarden

feature: git

feature: nextcloud-bookmarks

feature: tabs

feature: webdav

help wanted

native-app

priority: high

priority: low

priority: medium

pull-request

question

question

stale

upstream

waiting for more information

wontfix

🙁 Not following issue template

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/floccus#149

No description provided.