Closed Bug 1288712 Opened 4 years ago Closed 3 years ago
Forgot password: can enter another account's email, but it does not reset
[Affected versions]: Fx 48.0b10 (20160721144529) Fx 49.0a2 (20160720004018) Fx 50.0a1 (20160719030224) [Steps to reproduce]: 1.Open latest Firefox beta/aurora/nightly . 2.Go to about:preferences#sync. 3.Sign in with an existing account. 4.Go to Manage Account -> Password -> Change -> Forgot Password? 5.Enter a different e-mail, from another account and press "reset password". 6.Log to that e-mail address and reset the password. [Expected result]: The password is reset. [Actual result]: The password is not reset.
4 years ago
Component: Sync → Server: Firefox Accounts
Product: Firefox → Cloud Services
Version: Trunk → unspecified
It's not clear to me exactly what behavior is being described here, I'm going to re-state the STR with concrete examples, can you please tell me if it's a correct interpretation? 1.Open latest Firefox beta/aurora/nightly . 2.Go to about:preferences#sync. 3.Sign in with an existing account for "firstname.lastname@example.org". 4.Go to Manage Account -> Password -> Change -> Forgot Password? 5.Enter a different e-mail "email@example.com", from another account and press "reset password". 6.Log to that e-mail address "firstname.lastname@example.org" and reset the password. If so, I dont understand which step is in error.
Sorry if the STR were not clear enough. STR 2.0: 1.Launch Fx with a clean profile. 2.Log in with an existing account.(i.e. email@example.com, the page on the first run https://www.mozilla.org/en-US/firefox/48.0/firstrun/). 3.Select the button "Change" from the password area. 4.Under the "Old Password" field select the "Forgot password?" hyperlink. 5.Complete with another e-mail address (i.e. firstname.lastname@example.org which has a Fx account). 6.Check the e-mail recieved from Firefox Accounts (with email@example.com). 7.Click on "Reset password" and enter the new password, re-enter and confirm the new password. 8.Relog in Firefox accounts with firstname.lastname@example.org(nothing has changed). 9.Relog in Firefox accounts with email@example.com(the password has changed). [Notes]: The bug here in my perspective is at step 5, either the e-mail is auto-filled, an error prompt or remove the field.
Thanks, I think I understand now - the bug being that you can be logged in as user A, but use the "forgot password" link to reset the password for user B. The email field should indeed be restricted someone to the currently logged in email address in this case.
We're trying to triage this but we're not sure what the severity is. Can we get some feedback on whether or not this should be tracked?
I don't think this needs to be tracked anywhere except within the Firefox Accounts dev cycle; it's a little bit confusing but unless I'm missing something, the impact is not very severe. It won't let you e.g. accidentally log into someone else's account or anything like that.
In the linked issue, our UX lead confirms that this is in fact working as intended: https://github.com/mozilla/fxa-content-server/issues/4151#issuecomment-247377953 Since resetting your password results in wiping your sync data from the server, the intention here is ensure that users are very deliberately going through the flow and considering the implications. We will probably revisit this flow at some point, but I'm going to WONTFIX this for now as it's working as designed.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.