Closed
Bug 1288712
Opened 8 years ago
Closed 8 years ago
Forgot password: can enter another account's email, but it does not reset
Categories
(Cloud Services :: Server: Firefox Accounts, defect)
Cloud Services
Server: Firefox Accounts
Tracking
(firefox48 wontfix, firefox49 fix-optional, firefox50 fix-optional, firefox51 affected)
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox48 | --- | wontfix |
firefox49 | --- | fix-optional |
firefox50 | --- | fix-optional |
firefox51 | --- | affected |
People
(Reporter: ccomorasu, Unassigned)
References
()
Details
(Keywords: regression, regressionwindow-wanted)
[Affected versions]: Fx 48.0b10 (20160721144529) Fx 49.0a2 (20160720004018) Fx 50.0a1 (20160719030224) [Steps to reproduce]: 1.Open latest Firefox beta/aurora/nightly . 2.Go to about:preferences#sync. 3.Sign in with an existing account. 4.Go to Manage Account -> Password -> Change -> Forgot Password? 5.Enter a different e-mail, from another account and press "reset password". 6.Log to that e-mail address and reset the password. [Expected result]: The password is reset. [Actual result]: The password is not reset.
Reporter | ||
Updated•8 years ago
|
Component: Preferences → Sync
Keywords: regression,
regressionwindow-wanted
Updated•8 years ago
|
Component: Sync → Server: Firefox Accounts
Product: Firefox → Cloud Services
Version: Trunk → unspecified
Comment 1•8 years ago
|
||
It's not clear to me exactly what behavior is being described here, I'm going to re-state the STR with concrete examples, can you please tell me if it's a correct interpretation? 1.Open latest Firefox beta/aurora/nightly . 2.Go to about:preferences#sync. 3.Sign in with an existing account for "one@example.com". 4.Go to Manage Account -> Password -> Change -> Forgot Password? 5.Enter a different e-mail "two@example.com", from another account and press "reset password". 6.Log to that e-mail address "two@example.com" and reset the password. If so, I dont understand which step is in error.
Flags: needinfo?(cristian.comorasu)
Reporter | ||
Comment 2•8 years ago
|
||
Sorry if the STR were not clear enough. STR 2.0: 1.Launch Fx with a clean profile. 2.Log in with an existing account.(i.e. acc1@example.com, the page on the first run https://www.mozilla.org/en-US/firefox/48.0/firstrun/). 3.Select the button "Change" from the password area. 4.Under the "Old Password" field select the "Forgot password?" hyperlink. 5.Complete with another e-mail address (i.e. acc2@example.com which has a Fx account). 6.Check the e-mail recieved from Firefox Accounts (with acc2@example.com). 7.Click on "Reset password" and enter the new password, re-enter and confirm the new password. 8.Relog in Firefox accounts with acc1@example.com(nothing has changed). 9.Relog in Firefox accounts with acc2@example.com(the password has changed). [Notes]: The bug here in my perspective is at step 5, either the e-mail is auto-filled, an error prompt or remove the field.
Flags: needinfo?(cristian.comorasu)
Comment 3•8 years ago
|
||
Thanks, I think I understand now - the bug being that you can be logged in as user A, but use the "forgot password" link to reset the password for user B. The email field should indeed be restricted someone to the currently logged in email address in this case.
Updated•8 years ago
|
Comment 4•8 years ago
|
||
We're trying to triage this but we're not sure what the severity is. Can we get some feedback on whether or not this should be tracked?
Flags: needinfo?(rfkelly)
Comment 5•8 years ago
|
||
I don't think this needs to be tracked anywhere except within the Firefox Accounts dev cycle; it's a little bit confusing but unless I'm missing something, the impact is not very severe. It won't let you e.g. accidentally log into someone else's account or anything like that.
Flags: needinfo?(rfkelly)
Updated•8 years ago
|
Comment 6•8 years ago
|
||
In the linked issue, our UX lead confirms that this is in fact working as intended: https://github.com/mozilla/fxa-content-server/issues/4151#issuecomment-247377953 Since resetting your password results in wiping your sync data from the server, the intention here is ensure that users are very deliberately going through the flow and considering the implications. We will probably revisit this flow at some point, but I'm going to WONTFIX this for now as it's working as designed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•