Password saved while not in PBM are hidden but not deleted while in PBM (can be recovered by disabling PBM back)
Copy-pasting from HackerOne report n. 2070150, setting confidential initially for triaging but I personally don't think it should be hidden, even though worth discussing (maybe we should actually nuke all storage, including passwords, every time PBM is flipped).
Also, could reproduce on 102.x but cannot reproduce on 115 because saving passwords seems broken there. You click "Save" but the same exception as cancelling is thrown:
NS_ERROR_ABORT: User canceled primary password entry
encrypt resource://gre/modules/crypto-SDR.sys.mjs:87
_encryptLogin resource://gre/modules/storage-json.sys.mjs:825
addLogin resource://gre/modules/storage-json.sys.mjs:186
addLogin resource://gre/modules/LoginManager.sys.mjs:323
persistData resource://gre/modules/LoginManagerPrompter.sys.mjs:441
callback resource://gre/modules/LoginManagerPrompter.sys.mjs:531
_onButtonEvent resource://gre/modules/PopupNotifications.sys.mjs:1928
oncommand chrome://browser/content/browser.xhtml:1
PopupNotifications.sys.mjs:1934:17
_onButtonEvent resource://gre/modules/PopupNotifications.sys.mjs:1934
oncommand chrome://browser/content/browser.xhtml:1
Depending on how we feel about the password manager in general, will open another issue for that or one to disable/hide it completely.
Recover passwords stored when private browsing mode was disabled, after re-enabling private browsing mode and about:logins stating no login credentials exist.
Steps To Reproduce:
Machine used: MacBook Pro 2020 M1
Download Tor Browser (Latest Version) for Mac OS (Latest Version: Ventura 13.4.1)
Enable ‘Always connect automatically’ and click ‘Connect’
Navigate to about:preferences#privacy
Disable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins
Click ‘Create New Login’ and enter ‘eff.org’ into the Website address, ‘test’ into the Username, and ‘test’ into the Password. Then click save.
Navigate to about:preferences#privacy
Enable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins and verify there are no passwords stored.
Navigate to about:preferences#privacy
Disable ‘Always use private browsing mode’ and restart the browser when prompted.
Navigate to about:logins
You can now view the login to eff.org and password, which you thought had been deleted.
Actual behaviour: Login credentials that were created when private browsing mode was disabled can be recovered, even after re-enabling private browser mode and the about:logins displaying no login credentials exist in Tor Browser. Expected behaviour: Login credentials automatically clear when re-enabling private browser mode, after creating login credentials with private browser mode disabled.
Impact An attacker could recover any passwords that the user stored when private browsing was disabled, even if a user re-enabled private browsing. The user may verify about:logins and assume their logins have been deleted, which may not be true. This attack assumes an attacker has full access and control of a users device.