1147596 - [E-Mail] Gmail Automatic Setup will populate google gate only if the email address exists (security risk)

Status: RESOLVED INVALID

(Firefox OS Graveyard :: Gaia::E-Mail, defect)

Description

[Oliver Nelson [:oliverthor]]

Attachment: logcat_20150325_1359.txt

Description:
When the user opens the email address for the first time and attempts to sign in with a gmail account, they will be redirected to a google login page upon tapping 'Next'. If the user inputs a valid email address (one that exists), they will observe the email be populated on the next page. However, if the address does not exist then the google page will not populate the email address field. This is a security risk as it indicates to the user attempting to sign in that the email address does exist. In a browser when attempting to sign in with an email address + password, google will respond on a bad login that either your "Email address or password is incorrect", so as not to indicate to the user attempting login that either is necessarily correct.


Repro Steps:
1) Update a Flame to 20150325010206
2) Open the E-Mail app for the first ime
3) Input name and known email address
4) Observe google gate populating address field
5) Return to previous page
6) Input name and incorrect email address (change a single character from your previous)
7) Observe google gate not populating address field

Actual:
Google page informs the user the email addres exists or not based on populating the field

Expected:
Google page always populates the field with the previous text entry user submitted.


Environmental Variables:
--------------------------------------------------

Device: Flame 3.0
Build ID: 20150325010206
Gaia: aebfbd998041e960cea0468533c0b5041b504850
Gecko: cc0950b7a369
Gonk: b83fc73de7b64594cd74b33e498bf08332b5d87b
Version: 39.0a1 (3.0)
Firmware Version: v18D
User Agent: Mozilla/5.0 (Mobile; rv:39.0) Gecko/39.0 Firefox/39.0
--------------------------------------------------

Device: Flame 2.2
BuildID: 20150325002503
Gaia: aeee2a54caa8ffb875b96264b61d742b70689f22
Gecko: 556aca3e50ac
Gonk: ebad7da532429a6f5efadc00bf6ad8a41288a429
Version: 37.0 (2.2) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0
--------------------------------------------------

Device: Flame 2.1
BuildID: 20150325001202
Gaia: b8ae0df34362420fe4a9c90effa5247a1f5c844d
Gecko: 2a05cd42088b
Gonk: b83fc73de7b64594cd74b33e498bf08332b5d87b
Version: 34.0 (2.1) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:34.0) Gecko/34.0 Firefox/34.0
==================================================
Issue DOES NOT REPRO on flame 2.0 devices (different behavior)
Results: User is requested for username + password without a google gate, so no chance to populate a field based on credential authentication

Device: Flame 2.0
BuildID: 20150325000205
Gaia: 896803174633fc6acd3fd105f81c349b8e9b9633
Gecko: 543c2325d667
Gonk: b83fc73de7b64594cd74b33e498bf08332b5d87b
Version: 32.0 (2.0) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:32.0) Gecko/32.0 Firefox/32.0
--------------------------------------------------

Repro frequency: 6/6
See attached: 
video- https://youtu.be/o5hGfxqmC-U 
logcat

Comment 1

[Andrew Sutherland [:asuth] (he/him)]

Google is deciding whether to populate the field, not us.  It's a Google-controlled page and our behaviour does not vary.