When I click view sync code in brave it doesn’t ask for windows password, or fingerprint and there’s no option to add a master password like Firefox. Which means if anyone ever has access to my unlocked PC, whether physical or virtual(softwares like team viewer, or a backdoored trojan virus) they can just copy my sync code without knowing my password and paste it in their brave and they’d have access to all my data including all saved passwords.
Solution: The solution could be, adding a master password like Firefox. Or, prompt windows hello every time an user tries to change anything in Sync settings, whether it’s view sync code or add new device or changing any sync settings.
The same logic should apply for android version of brave as well, you need to verify biometric before changing anything in sync.
I see this and get what you’re saying, but I also feel it’s very important to put focus on the other side of things, which is the responsibility of the user. You say one very big mistake:
That’s your mistake there. You should always lock your PC when you’re not using it. If you choose to leave it unlocked and active for people, then you’re the one at fault if they grab. I mean, they could then use your PC to visit one of your sites and login using your saved credentials and then change your passwords. They could also install keyloggers, clone your various folders, etc.
In fact, it would not even be hard for them to just clone your hard drive by doing a backup and then access on a different device.
If just was a request for the extra security by having the sync code password protected, I get it. But when I see people say things like “if I leave things accessible and unprotected…” that just isn’t right. Privacy and security relies most heavily on the user to be responsible.
I would like to respond to this. I think it is obvious that one should not leave the pc unattended, but I feel it does not influence the fact that the sync code should be protected better. Security is always layered (or multifactor) and potential access to all your passwords should really be better protected also from within the client.
