Closed Bug 1236651 Opened 4 years ago Closed 4 years ago

Sync log contains username and password in plain text

Categories

(Firefox :: Firefox Accounts, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Firefox 46
Tracking Status
firefox44 --- fixed
firefox45 --- fixed
firefox46 --- fixed

People

(Reporter: TheOne, Assigned: markh)

References

Details

(Whiteboard: [fxa])

Attachments

(1 file)

In https://dxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccountsWebChannel.jsm#141 logs plain text username and password for FxA.

1447436730598	FirefoxAccounts	DEBUG	FxAccountsWebChannel message received: {"command":"internal:signed_in","data":{"customizeSync":false,"keyFetchToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","password":"PASSWORD","unwrapBKey":"ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ","email":"EMAILADDRESS","lastLogin":1447436730535,"sessionToken":"YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY","sessionTokenContext":"fx_desktop_v1","uid":"405648b8ccdc4e4fb432e6e715d705bf","verified":true},"messageId":null}
Flags: needinfo?(markh)
See Also: → 1236708
Depends on: 1236708
Whiteboard: [fxa]
We already have a |logPII| boolean in FxAccountsCommon which is used to determine if we should log personal or sensitive information - this patch uses that to determine whether to log the entire message or not.

(The fact the password is there at all is a different bug we are actively working on, but this patch also prevents things like the encryption keys being logged)
Assignee: nobody → markh
Status: NEW → ASSIGNED
Flags: needinfo?(markh)
Attachment #8703879 - Flags: review?(nalexander)
Comment on attachment 8703879 [details] [diff] [review]
0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch

Review of attachment 8703879 [details] [diff] [review]:
-----------------------------------------------------------------

lgtm.

I verified that https://dxr.mozilla.org/mozilla-central/source/mobile/android/modules/FxAccountsWebChannel.jsm doesn't log messages indiscriminately.  On the Java side, we're very careful about such logging to logcat, since it used to be that logcat was globally accessible.
Attachment #8703879 - Flags: review?(nalexander) → review+
Comment on attachment 8703879 [details] [diff] [review]
0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch

Approval Request Comment
[Feature/regressing bug #]: N/A
[User impact if declined]: User may find personally identifiable information in their sync logs. While these logs typically remain inside the profile directory, some users may upload complete logs to bugzilla etc, which may expose sensitive information.
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: Tiny trivial patch limited to FxA
[String/UUID change made/needed]: None
Attachment #8703879 - Flags: approval-mozilla-beta?
Attachment #8703879 - Flags: approval-mozilla-aurora?
Thanks for the fast fix!
https://hg.mozilla.org/mozilla-central/rev/c38424a542eb
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Comment on attachment 8703879 [details] [diff] [review]
0001-Bug-1236651-don-t-log-complete-FxA-webchannel-messag.patch

Taking it in aurora & beta as it is low risk.
Attachment #8703879 - Flags: approval-mozilla-beta?
Attachment #8703879 - Flags: approval-mozilla-beta+
Attachment #8703879 - Flags: approval-mozilla-aurora?
Attachment #8703879 - Flags: approval-mozilla-aurora+
Product: Core → Firefox
Target Milestone: mozilla46 → Firefox 46
You need to log in before you can comment on or make changes to this bug.