Closed
Bug 1236651
Opened 8 years ago
Closed 8 years ago
Sync log contains username and password in plain text
Categories
(Firefox :: Firefox Accounts, defect)
Firefox
Firefox Accounts
Tracking
()
RESOLVED
FIXED
Firefox 46
People
(Reporter: TheOne, Assigned: markh)
Details
(Whiteboard: [fxa])
Attachments
(1 file)
1.51 KB,
patch
|
nalexander
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
In https://dxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccountsWebChannel.jsm#141 logs plain text username and password for FxA. 1447436730598 FirefoxAccounts DEBUG FxAccountsWebChannel message received: {"command":"internal:signed_in","data":{"customizeSync":false,"keyFetchToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","password":"PASSWORD","unwrapBKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","email":"EMAILADDRESS","lastLogin":1447436730535,"sessionToken":"YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY","sessionTokenContext":"fx_desktop_v1","uid":"405648b8ccdc4e4fb432e6e715d705bf","verified":true},"messageId":null}
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(markh)
Updated•8 years ago
|
Whiteboard: [fxa]
Assignee | ||
Comment 1•8 years ago
|
||
We already have a |logPII| boolean in FxAccountsCommon which is used to determine if we should log personal or sensitive information - this patch uses that to determine whether to log the entire message or not. (The fact the password is there at all is a different bug we are actively working on, but this patch also prevents things like the encryption keys being logged)
Assignee: nobody → markh
Status: NEW → ASSIGNED
Flags: needinfo?(markh)
Attachment #8703879 -
Flags: review?(nalexander)
Comment 2•8 years ago
|
||
Comment on attachment 8703879 [details] [diff] [review] 0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch Review of attachment 8703879 [details] [diff] [review]: ----------------------------------------------------------------- lgtm. I verified that https://dxr.mozilla.org/mozilla-central/source/mobile/android/modules/FxAccountsWebChannel.jsm doesn't log messages indiscriminately. On the Java side, we're very careful about such logging to logcat, since it used to be that logcat was globally accessible.
Attachment #8703879 -
Flags: review?(nalexander) → review+
Assignee | ||
Comment 4•8 years ago
|
||
Comment on attachment 8703879 [details] [diff] [review] 0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch Approval Request Comment [Feature/regressing bug #]: N/A [User impact if declined]: User may find personally identifiable information in their sync logs. While these logs typically remain inside the profile directory, some users may upload complete logs to bugzilla etc, which may expose sensitive information. [Describe test coverage new/current, TreeHerder]: [Risks and why]: Tiny trivial patch limited to FxA [String/UUID change made/needed]: None
Attachment #8703879 -
Flags: approval-mozilla-beta?
Attachment #8703879 -
Flags: approval-mozilla-aurora?
Reporter | ||
Comment 5•8 years ago
|
||
Thanks for the fast fix!
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c38424a542eb
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Updated•8 years ago
|
status-firefox44:
--- → affected
status-firefox45:
--- → affected
Comment 7•8 years ago
|
||
Comment on attachment 8703879 [details] [diff] [review] 0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch Taking it in aurora & beta as it is low risk.
Attachment #8703879 -
Flags: approval-mozilla-beta?
Attachment #8703879 -
Flags: approval-mozilla-beta+
Attachment #8703879 -
Flags: approval-mozilla-aurora?
Attachment #8703879 -
Flags: approval-mozilla-aurora+
Comment 8•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/0b128b848d89
Comment 9•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/557dc9dd4dbd
Comment 10•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/557dc9dd4dbd
status-b2g-v2.5:
--- → fixed
Updated•6 years ago
|
Product: Core → Firefox
Updated•6 years ago
|
status-b2g-v2.5:
fixed → ---
Target Milestone: mozilla46 → Firefox 46
You need to log in
before you can comment on or make changes to this bug.
Description
•