[Solved] Phone security: passwords are still shown after session is removed
-
dario3004 last edited by leocg
Dear Opera team,
I had an event where someone shared the phone lockscreen PIN to phone technician.
I've suggested to logout to all active Opera session in order to prevent any malicious "peek" to saved passwords of Opera.
This is possible via:
auth.opera.com/account/edit-profile -> Manage your logged Opera account sessionsEven if removing all sessions worked, when the phone returned from repair, you could still check synchronized password by using the PIN. The only thing that changed was a message: "Sync is paused"
I would suggest, for security reasons, that once a session is removed everything that synchronized between devices is hidden. This is to prevent such cases where phone PIN is compromised.
-
leocg Moderator Volunteer last edited by
@dario3004 Passwords are stored locally, encrypted using your OS login credentials and have nothing to do with the fact that you are logged in to your Opera account or not.
-
dario3004 last edited by
Thanks for the answer.
With this approach there's no way to prevent all passwords to be leaked if OS credentials are compromised or if someone forgot to log off 'Opera sync' from a public device.
I believe that a more secure approach would be to clear passwords (history, tabs, etc) when session is revoked.
Hope that we'll see this security improvement in the future.
-
leocg Moderator Volunteer last edited by
@dario3004 It seems that you are misunderstanding what synchronization is (for).
Synchronization is not for you to temporarily access your data, but to allow you to have the same data on all your Opera installations in your computers.
You should never login to your Opera account, to any account, in a device that is not yours. If it's absolutely necessary, do it in private window /mode, make sure that password is being saved, change the password as soon as you access your own computer. And have 2FA enabled in all possible services. -
