Passwords unprotected and visible after update

Why is it possible to see passwords without typing a master password?

I successfully returned to the previous version.

Did the programmer try to put as much no-goes as possible into the new version?

André

2 Likes

This was actively requested by users who wanted to have an easier way to change their password.

Duplicate of Password not protected - #14 by SkryptX .

More information there.

I also dowgraded to 5.6.

1 Like

This was actively requested…?!?

For me, this is a clear reason to go back to 5.6 due to severe password-security-failure…

1 Like

Yup, see this or this

I just added a prompt for your fingerprint/device password to see the mail password. That’s also what Chrome does to show saved browser passwords. Authenticate user before showing password by ByteHamster · Pull Request #5584 · thunderbird/thunderbird-android · GitHub

4 Likes

I also just downgraded to 5.6. For me also unacceptable.

1 Like

From a naive user’s perspective this request might appear reasonable but from a developer’s view this should raise concerns. If it’s that easy to undermine security, I don’t know what to think or say. Just imagine this request was a perfect example of social engineering. If that was actually the case, I’d applaud the hacker instead of being angry.

Some of the worst security issues in recent years have been caused by well-intended modifications like heartbleed or Debian’s OpenSSL debacle. However, at least these weren’t intentionally compromising security. Showing before invisible passwords clearly is.