Closed Bug 1166571 Opened 10 years ago Closed 7 years ago

[meta] Third-party password manager add-ons interfere with Sync

Categories

(Firefox :: Sync, defect, P3)

Product:
Firefox
Component:
Sync
Version:
38 Branch
Platform:
x86_64
Windows 8.1
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: josh.karli, Unassigned)

References

Details

Attachments

(2 files)

error-sync-1432081247002.txt
3.59 KB, text/plain
Details
screenshot of problem on FF 38.0.5
750.92 KB, image/png
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150513174244 Steps to reproduce: This problem started immediately after autoupgrading to FF 38.0.1 using the FF background maintenance service. It is probably worth noting that I have a particularly long password (~20 characters). 1) Open Firefox, start browsing. Browser was previously set to have syncing enabled, to sync only bookmarks, addons, and preferences. 2) FF complains about incorrect sync credentials within a few seconds of FF opening (see error message below). 3) Click on hamburger icon>sync>reenter credentials 4) Works fine for about 45 minutes, then it spits out a log (attached, they all look identical) and displays the error in the GUI again. Same results for same setup on my laptop and desktop, both running Win 8.1 x64 Pro, up to date as of today. Both have same addons and plugins, no services. I have not tried this without addons since I assume that sync does not interact with addons. Addon list: Adblock Plus 2.6.9 Adblock Plus Popup Addon 0.9.2 Ant Video Downloader 2.4.7.31 DownThemAll! 2.0.18 DownThemAll! Anticontainer 1.3 Element Hiding Helper for Adblock Plus 1.32 FEBE 8.7 flickr original 1.0.8 HTTPS-everywhere 5.0.4 Pilfer 1.29 Privacy Badger Firefox 0.1.4 Self-Destructing Cookies 0.4.7 Tab Mix Plus 0.4.1.7 Netcraft Anti-Phishing Toolbar 1.10.1 (disabled) Plugins: OpenH264 Video Codec provided by Cisco Systems 1.4 (always activate) Shockwave Flash 17.0.0.169 (ask to activate) other plugins are set to never activate Actual results: FF claims that sync credentials are ok initially, then later complains of an error: "sync encountered an error while syncing: incorrect account name or password. sync will automatically retry this action" every 45 minutes or so. If I reenter my sync credentials then it seems to be fine again for another 45 minutes, approximately. Expected results: Sync should remember my sync credentials as it always.
I'm also getting this behaviour on Firefox 38.0.1 (on Ubuntu 14.10). My sync password also is long ( > 20 chars). User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150511103731 Addon list: Adblock Edge 2.1.9.1-signed BugMeNot Plugin 3.1-signed Disconnect 3.15.3.1-signed Firebug 2.0.10 Flashblock 1.5.18.1-signed Live HTTP headers 0.17.1-signed Remember Passwords 1.1.1-signed Saved Password Editor 2.9.1-signed Tamper Data 11.0.1.1-signed Ubuntu Firefox Modifications 3.0 Ubuntu Online Accounts 0.5 Unity Desktop Integration 3.0.2 Unity Websites integration 2014.07.01.beta User Agent Switcher 0.7.3.1-signed
I have this bug on two computers. My friend's computer has this problem too. Please mark it confirmed. I am greatly disappointing by this, as at first the sync system was totally broken like this, and sync was unusable. Then it was fixed and it worked fine for months irrespective of cookies, although you needed one to do your first sign in. Not it's broken real bad, and nagging constantly unless the user disables syncing.
FF 38.0.5 still exhibits this bug. I would be happy to run tests or submit logs as anyone requests. As it currently manifests, it seems that entering sync credentials will allow syncing, however the error
OS: Unspecified → Windows 8.1
Hardware: Unspecified → x86_64
(continuing above comment) the error emerges after ~30-60 minutes (about 45 minutes I think) after last entering credentials and FF cannot be synced again until credentials are reentered. Adding a screenshot of the error message.
shows the annoying error message as of 38.0.5
It seems to me that this problem would either be in FF's hashing of the password for credential storage for later use, or is somehow in the communication protocol used after the initial credentials are communicated. I say this having no idea how sync works.
I have upgraded to ff 39.0, and I'm still getting this error.
(In reply to Timothy Moll from comment #7) > I have upgraded to ff 39.0, and I'm still getting this error. Turns out this issue was caused by one of my add-ons (in my case: Remember Passwords). Sync now is working as intended.
Sync is still broken. Apparently, it's all hooked to history, which is defective by design.
I was having the same problem running on a Mac running OS X Yosemite. It turns out that the culprit was an add-on: "Keychain Services Integration" that allows for storing usernames and passwords using Apple's Keychain Services instead of the built-in system. While it works OK for all other passwords it seems the particular json contents of the sync account password doesn't make through. The account's passwords looks something like {"version":1,"accountData":{"customizeSync":false,"kA":"*******************","kB":"*******************"}} I hope this may help somebody. I'll try to contact the add-on developer.
The problem is not limited to Mac. Mozilla is recommending using bad security practices that no one should ever use on a mobile machine. https://support.mozilla.org/en-US/kb/firefox-sync-troubleshooting-and-tips#w_firefox-sync-resets-every-time-i-close-firefox_2
Component: Untriaged → Sync
There are 2 common reasons for this issue: * addons that mess with the password storage - as comment 8 and 10 mentioned. * As comment 11 mentions, configuring Firefox to delete stored passwords on exit also causes this. In Firefox 42 we've actually removed that option completely - now you should just tell Firefox to not remember passwords.
There is a difference between someone gaining access to bookmarks synchronization, and someone gaining access to someone's banking account. Are you stating that Firefox is blind to the difference?
(In reply to Brenda Make from comment #13) > There is a difference between someone gaining access to bookmarks > synchronization, and someone gaining access to someone's banking account. Obviously. > Are you stating that Firefox is blind to the difference? Obviously not. You are clearly missing something important, but I've no idea what it is. If you can clarify your concerns with some context I may be able to help.
Turning this into a meta and changing the description.
Summary: Firefox 38.0.1 sync forgets Firefox Sync account login credentials → [meta] Third-party password manager add-ons interfere with Sync credential storage in the Firefox password manager.
Depends on: 1128402
Flags: firefox-backlog+
Priority: -- → P3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Clearing the priority from all our meta bugs.
Priority: P3 → --
Flags: firefox-backlog+
Priority: -- → P3
Updating the title to reflect that it interferes in various ways, notably with both credential saving and the syncing of passwords.
Summary: [meta] Third-party password manager add-ons interfere with Sync credential storage in the Firefox password manager. → [meta] Third-party password manager add-ons interfere with Sync
No longer blocks: 1182061
Depends on: 1182061
3rd party login managers cannot interfere with the login manager services anymore since we only support WebExtensions now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
See Also: → 1562743
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: