1026299 - delete leftover unwrapBkey from verified FxA accounts

Status: REOPENED

(Firefox :: Firefox Accounts, defect, P3)

Description

[Brian Warner [:warner :bwarner]]

Bug 1021950 was about removing "unwrapBKey" from the stored JSON file
(signedInUser.json) at the end of the email-verification process. But for
everyone who has already verified an account, the unwrapBKey will remain
there. 1021950 is on track to ship in FF33 (October 2014), so we'll probably
have millions of users get into this state before it finally kicks in.

We should change the FxA client code to notice when all of (kA, kB,
unwrapBKey) are present, and delete unwrapBKey in that case. This will remove
the last piece of information that could be used to attempt a dictionary
attack on the password.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

(In reply to Brian Warner [:warner :bwarner] from comment #0)
> Bug 1021950 was about removing "unwrapBKey" from the stored JSON file
> (signedInUser.json) at the end of the email-verification process. But for
> everyone who has already verified an account, the unwrapBKey will remain
> there. 1021950 is on track to ship in FF33 (October 2014), so we'll probably
> have millions of users get into this state before it finally kicks in.

We can uplift bug 1021950 to 32 (or even 31, depending on risk profile) - sounds like we should? Can you make appropriate approval requests there?

Comment 3

[Mark Hammond [:markh] [:mhammond]]

I don't think bug this is strictly a dupe of bug 1021950 - this is to "fix" users who signed up before 1021950 landed. I don't think it's particularly important though given there will be a tiny number of users affected today and thus it would be extremely difficult for an attacker to know which users can be targeted for a theoretical dictionary attack. IOW, I think this should possibly be WONTFIX rather than a dupe.