Closed Bug 1337445 Opened 8 years ago Closed 5 years ago

no Login-Failed-dialog after entering wrong password for yahoo-account (pop)

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
45 Branch
Platform:
Unspecified
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dheddicke, Assigned: gds)

References

Details

Attachments

(4 files)

message_thunderbird.png
14.90 KB, image/png
Details
Screenshot of error message.
4.91 KB, image/png
Details
error message - Thunderbird 60b1
11.47 KB, image/png
Details
yahoo-pop3-password-fix.diff
1.61 KB, patch
Details | Diff | Splinter Review
Attached image message_thunderbird.png
User Agent: Mozilla/5.0 (X11; Linux i686; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: 1. Start Thunderbird 2. Enter wrong password for yahoo-account 3. Get error-dialog/"Error with account ***@yahoo.de" Actual results: No Login-Failed-dialog and no prompt for enter new password. Expected results: 4. Get Login-Failed-dialog 5. Click on "Enter New Password" 6. Get prompt for new password. Is that a known problem? Is there a way to let Thunderbird forget the password, without having to restart it, for the time up to the fix of the problem? OS: Linux, Debian Jessie TB-versions: 45.7 and 53.0a2
Wayne, where does this fit in our set of bugs to do with password entry? Is this bug 1293958 (Yahoo oAuth2.0)? Reporter, you can clear passwords in Tools > Options, Security, Passwords, Saved Passwords.
Flags: needinfo?(vseerror)
Matt is more familiar with it than I am
Flags: needinfo?(vseerror) → needinfo?(unicorn.consulting)
I doubt it is related. The biggest issue with yahoo is their new "less secure apps" if that raises an password error I am not sure. Authentication fails if it is not enabled so I assume there is a dialog. As for oAuth2.0 it is offered in the UI for yahoo accounts, but without a secret, it can not work. Given the authentication occurs on the whole in a browser dialog I would guess that the initial part does work, but the final authentication does not leading to a no error failure.
Flags: needinfo?(unicorn.consulting)
I too am having this same problem. I enter an incorrect password for a POP Yahoo account and get the same error message and am not getting the enter new password prompt.
Is the setting "Allow less secure apps" on yahoo allowed? Recently seeing lots of folks with it turned off complaining.
I only have this problem when I enter an incorrect password. Everything is fine if I use a correct password. The problem is not access to my Yahoo account, it is Thunderbird not asking for a new password when I enter an incorrect one.
Yes, on my account "Allow less secure apps" is allowed.
(In reply to Shin Ring from comment #7) > I only have this problem when I enter an incorrect password. Everything is > fine if I use a correct password. The problem is not access to my Yahoo > account, it is Thunderbird not asking for a new password when I enter an > incorrect one. Then we need to back up to a point where we can determine if it is actually Thunderbird that is the issue. Follow the instruction here https://support.mozilla.org/t5/Basics/Forum-Response-Troubleshooting-Thunderbird-using-Safe-Mode/ta-p/13616 Please report your results.
No Change. I am thinking Thunderbird does not know how to handle the server's response, which appears to be nothing according to the error message. I bet Thunderbird only puts the new password prompt up for specific server responses. I find it strange that Thunderbird does not have a place for me to manually enter a password for an account, but that is a different topic I guess. Maybe you could open a yahoo email account an try it. This should be easily reproduced.
We had a complaint about Yahoo the other day: Bug 1334973. Something fishy with Yahoo.
After it didn't work in 45.7, i tested 53.0a2 with a new profile(tried with disabled addons to, although only lightning was installed) and got the same result. That was at the time, when i reported the bug. Still get the same failure in 53.0a2. Start Thunderbird with a new Profile, should have to be the same as "Restart with addons Disabled". Doesn't it?
(In reply to dheddicke from comment #12) > Start Thunderbird with a new Profile, should have to be > the same as "Restart with addons Disabled". Doesn't it? No add-ons disabled (safe mode) also modifies video settings and Thunderbird bundles add-ons, although I suppose a new profile would leave those behind. @ Shin Ring The issue may well be that Yahoo are actually forcing a password reset. Something that is not covered in the mail protocols. I know I have receive notices from them asking that I reset my password and advising they will force one. Note that all the comments we see are about OP accounts. Not IMAP. So they may be fiddling with the POP allowed setting as well. I have not encountered it personally, but there is a yahoo issue. Basically the are in a knee jerk reaction to their hacking I feel and doing things that are neither logical nor reasonable. As to your other topic. If no password is present you will be prompted for it before the login attempt occurs, it is missing. There is an option in the passwords section to delete individual passwords.
Ya, I got that email in December, and changed my passwords. Like I said before, this only happens when I enter an incorrect password, otherwise everything works fine. It is defiantly a problem with Thunderbird not being able to deal with Yahoo's response. Outside the protocol or not, it still causes a problem for Thunderbird/Yahoo POP users. So I am correct, there is no place for me to manually enter a password, for situations like this. It is a pain in the 4$$ to have top restart Thunderbird and enter my passwords (6) again to correct an incorrect password. Maybe there should be. I am done here. I'll leave this with the developers to fix, or not. Thanks.
I meant to post this earlier, but I forgot. I found a work around for this bug, a logout add on: https://addons.mozilla.org/en-US/thunderbird/addon/logout/
The problem is still existent in Thunderbird 60b1. Only the error message has changed to "Server error - Please try again later"(since Thunderbird 52). So it seems to be a problem on Yahoo's site.
(In reply to dheddicke from comment #16) > The problem is still existent in Thunderbird 60b1. Only the error message > has changed to "Server error - Please try again later"(since Thunderbird > 52). So it seems to be a problem on Yahoo's site. so bug 1408610 didn't help
See Also: → 1408610
(In reply to Wayne Mery (:wsmwk) from comment #18) > (In reply to dheddicke from comment #16) > > The problem is still existent in Thunderbird 60b1. Only the error message > > has changed to "Server error - Please try again later"(since Thunderbird > > 52). So it seems to be a problem on Yahoo's site. > > so bug 1408610 didn't help Bug 1408610 only applies to imap. Maybe pop has a similar problem on yahoo, not sure. If you want to be prompted for a new password after storing a bad one or after a change, I think you can go to the passwords options page and remove the password for the account and you will be prompted again for a fresh pwd.
(In reply to gene smith from comment #19) > If you want to be prompted for a new password after storing a bad > one or after a change, I think you can go to the passwords options page and > remove the password for the account and you will be prompted again for a > fresh pwd. That presumes that one stores the password for the email account, if you don't do it, you have to restart Thunderbird to reset the password, because passwords that are only saved for the current session aren't shown in the "saved logins" dialog. Sorry for my late reply.
How is it with newer beta?
Component: Untriaged → Security
Flags: needinfo?(dheddicke)

Sorry for my repeatedly late reply. Yes, the problem with the login still exists and the wrong password still can't be removed via the "saved logins" dialogue.

Flags: needinfo?(dheddicke)

I've tested it with version 65b4.

See the same with yahoo pop with approx. TRUNK debug build version. Works OK with my ISP pop account. With yahoo, just "try again later" and no prompt for corrected password unless you restart. Also, take quite a while (maybe a minute) before the "try again" prompt even occurs. And definitely can't be found in pwd mgr list.

Is this a repeat of any of these https://mzl.la/2ZhbJx3 ?

None look the same to me (except that this bug is in the list). I will take a look at this again when I get a chance so setting NI for me.

Flags: needinfo?(gds)

Can we likely attribute this to yahoo inconsistency?

(In reply to gene smith from comment #19)

(In reply to Wayne Mery (:wsmwk) from comment #18)
...
Bug 1408610 only applies to imap. Maybe pop has a similar problem on yahoo,

I thought we also fixed the pop case in the past year. But I'm not finding the bug report. Does anyone recall it?

Flags: needinfo?(unicorn.consulting)
Flags: needinfo?(kaie)
OS: Unspecified → All
Summary: no Login-Failed-dialog after entering wrong password for yahoo-account → no Login-Failed-dialog after entering wrong password for yahoo-account (pop)

(In reply to Wayne Mery (:wsmwk) from comment #27)

Can we likely attribute this to yahoo inconsistency?

I've looked at this today in detail. What's happening is we send the wrong password to yahoo and they respond (after 1 minute) with

-ERR [SYS/TEMP] Server error - Please try again later.

Yahoo supports the capability RESP-CODE but not AUTH-RESP-CODE so Yahoo doesn't send the code that tb expects, [AUTH], when a bad password is submitted, e.g.:

-ERR [AUTH] Bad username or password - Please try again.

When tb sees the [SYS/TEMP] response code, it assumes the username/password were accepted, so any other activity like clicking get new mail just fails and no prompt for a new password occurs since tb thinks yahoo has already accepted the credentials.

So the problem is truly a tb bug it seems.

I am working a fix for this but need to test it some more with non-Yahoo POP servers.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(gds)
Assignee: nobody → gds
Flags: needinfo?(kaie)

This diff changes tb so that if the the POP server's response code to a bad password is -ERR [SYS/TEMP] tb treats it like an AUTH failure. However, yahoo take 60 seconds before it returns the [SYS/TEMP] response for the bad password. Yahoo also returns in the startup CAPA response that it supports PLAIN, LOGIN and USER. So what ends up happening is that that bad password gets sent 3 time to yahoo so the total time before a re-prompt for the correct password is about 3 minutes. I suspect a user might just go ahead and restart tb rather than wait for the 3 minutes. This wouldn't be a problem if yahoo didn't wait so long to respond to a bad password, but it does. I assume this is to slow down brute force password cracking.

Another non-yahoo POP server I have tested returns -ERR almost immediately with a bad password and only has one auth method in the CAPA response (PLAIN). It also doesn't return a "response code" at all in the password -ERR response so this bug doesn't cause a problem for it. (Response codes are an optional POP extension.) This POP server works with and without my proposed change.

In the diff I show a commented-out way to reduce the wait for yahoo response to 1 minute. But it skips over trying the other AUTH methods with the bad password and just sends PLAIN.

Edit: Note: oauth2 does work with yahoo pop, I just enabled it. So this may make this bug moot unless some users refuse to use oauth2 authentication. My proposed diff doesn't affect oauth2 since there is no way to send a "bad" password that I know of.

Attachment #9130306 - Flags: feedback?(mkmelin+mozilla)

(In reply to gene smith from comment #29)

Edit: Note: oauth2 does work with yahoo pop, I just enabled it. So this may make this bug moot unless some users refuse to use oauth2 authentication. My proposed diff doesn't affect oauth2 since there is no way to send a "bad" password that I know of.

Yahoo will cease to accept anything but oAuth to access mail from Thunderbird in the very near future. The only non oAuth authentication currently allowed appears to be application passwords and See https://au.help.yahoo.com/kb/SLN27791.html

Perhaps we need to offer something to users who are trying to use yahoo to help them migrate. Yahoo wants then to drop mail clients, there is no advertising in them.

Flags: needinfo?(unicorn.consulting)
Comment on attachment 9130306 [details] [diff] [review] yahoo-pop3-password-fix.diff Review of attachment 9130306 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, POP3 oauth was added in bug 1538409. With Yahoo now cutting/having cut of auth through normal means I'm not sure this is worth pursuing.
Attachment #9130306 - Flags: feedback?(mkmelin+mozilla)

Yahoo will cease to accept anything but oAuth to access mail from Thunderbird in the very near future. The only non oAuth authentication currently allowed appears to be application passwords and See https://au.help.yahoo.com/kb/SLN27791.html

Not sure this means Yahoo will stop supporting TLS/Normal Password or that you should only use it in the short term. I think I saw this several years ago when debugging another yahoo issue yet plain passwords still work.

Anyhow, sounds like Magnus is saying WONTFIX. So I'll go ahead and close this as WONTFIX and see if anyone provides a counter argument that might reverse the decision.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
See Also: → 1606339
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: