Old password pre-filled in a "change password" form

NEW
Unassigned

Status

()

P5
normal
2 years ago
2 months ago

People

(Reporter: Grisha, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8840037 [details]
Screenshot_1487787891.png

Following Ryan's queue, going to mark this bug as confidential for now.

See screenshot attached. If I've saved my account password in the browser, it will be pre-filled in the change password form. This doesn't seem particularly great, as anyone with a brief access to the device is able to easily change the account password.
(Reporter)

Updated

2 years ago
See Also: → bug 1341735
We have a growing queue of these "unexpected experience when saving FxA password in the password manager" bugs, :adavis it's probably worth a meta-bug to collect them if we don't have one already.

> If I've saved my account password in the browser [...]  anyone with a brief access
> to the device is able to easily change the account password

IIUC this is true regardless of whether or not it gets auto-filled somewhere, as they could pull the password out of the logins manager directly?

I don't think we have a way out of this without special-casing accounts.firefox.com in the password-manager logic on all of our browsers, either by refusing to save the FxA password, or by making it requirement much more explicit opt-in.
If something is a security bug please use the security checkbox. MoCo confidential does not provide the same level of protection.
Group: mozilla-employee-confidential → firefox-core-security
How is this any different than your browser password manager pre-filling in your facebook or gmail password? We care about firefox data more than those, but to the user it could be the same. If this is a problem for Firefox Accounts then it's a general problem with our password manager.
Group: firefox-core-security
> How is this any different than your browser password manager pre-filling
> in your facebook or gmail password?

It's not AFAICT; it can *feel* different to the user though, because that's the password you use to log in to Firefox itself rather than to a website.
Well it sort of is different because auto-filling the accounts password will give you access to all of the users other passwords... unlike Facebook.

IMO, what makes things worst is that we even pre-populate the email field so you only have to hit enter to get full access. Chances are that we saved your email password too so the email confirmation which is the last line of defense is useless too.

Example of a user story I've hear a couple of times:
As a user of Firefox Accounts, when I log out of my account in the browser on a given machine, I expect nobody to be able to easily log back into it from the same machine.

There is an additional risk that might become more apparent in the near term. We are working on making it easier to pair a second device to Sync without using your password. Someone could login quickly with password manager auto-complete, then pair another device and log back out. Sure we can send an email to say a device was added but damage is done by then.
> auto-filling the accounts password will give you access to all of the users other passwords

If the user is syncing passwords, and you have physical access to one of their devices, then you already have access to all those other passwords.  They're right there on the device and you don't need FxA's help to get at them.

However, being able to autofill their FxA password might help you to:

* Expatriate the passwords more efficiently, by syncing them to one of your own devices.
* If that device is not connected to sync, it will let you access new or changed passwords that have been synced on other devices.

I don't know how likely these are to make a meaningful difference to user security in practice.  I'm certainly open to being convinced!

> As a user of Firefox Accounts, when I log out of my account in the browser on a given machine,
> I expect nobody to be able to easily log back into it from the same machine.

Note that this bug is not specifically about the user having logged out; my read of Grisha's initial comment and screenshot is that he's actually logged in to the browser at that point.

It's also important to note that users get this behavior by default.  In order to hit the issue described here, the user must have at one point or another made the explicit choice to save the FxA password in their password manager.  We should understand why people are doing that if we plan to change it.

So how could we be handling this differently?  Some options include:

* Refuse to save the FxA password in the password manager.  IIUC, Chrome does this, and we used to do it too, but there were users who were surprised by this behaviour.  It's also not very helpful to users who have a Firefox Account for e.g. addons, but don't use sync.

* Do not suggest that the user save their FxA password.  We currently advertise "would you like Firefox to save this password?" when someone is logging in to Sync.  We could stop doing that, but still allow Power Users to save is manually somehow if they really do want to.

* Save the FxA password, but change the auto-fill behaviour so it requires more clicks to actually use.

* Remove the FxA password from the password manager if you sign out of sync.  If this is the right thing to do for FxA, then it's probably the right thing to do for *all* saved passwords.

I think the last is my current favorite, perhaps with some UI to let the user choose what state they want to clear from the browser.
Created attachment 8841767 [details]
lastpass-save-pwd-warning.png
>Note that this bug is not specifically about the user having logged out; my read of Grisha's initial comment and screenshot is that he's actually logged in to the browser at that point.

My apologies I got over zealous about the topic of saving FxA passwords in Firefox. You are correct! The user story I gave was unrelated to the one Grisha filed.

> * Refuse to save the FxA password in the password manager.  IIUC, Chrome does this, and we used to do it too, but there were users who were surprised by this behaviour.  It's also not very helpful to users who have a Firefox Account for e.g. addons, but don't use sync.

Good point! That makes this more complicated. I was really think about this within the context of Sync.  :-/

> * Do not suggest that the user save their FxA password.  We currently advertise "would you like Firefox to save this password?"

I'm not sure how feasible this is but I'm going to use LastPass as an example. Perhaps we display a warningThey provide the option to save the password but warn you that it may make you more vulnerable. (see screenshot)

> * Remove the FxA password from the password manager if you sign out of sync.  If this is the right thing to do for FxA, then it's probably the right thing to do for *all* saved passwords.

Interesting but I think we would need to pair it with some sort of a prompt. I've been reflecting on the possibility of asking users if they want to delete their local sync data after sign-out. This could get paired with that but I wouldn't just do it automatically.
> Refuse to save the FxA password in the password manager. [...]
> It's also not very helpful to users who have a Firefox Account for e.g. addons, but don't use sync.

I guess we could activate this behaviour at the point where you actually log into sync, rather than having it always be on for all users.
(Reporter)

Comment 10

2 years ago
(In reply to Alex Davis [:adavis] [PM FxA+Sync] from comment #8) 
> My apologies I got over zealous about the topic of saving FxA passwords in
> Firefox. You are correct! The user story I gave was unrelated to the one
> Grisha filed.
See Bug 1341735, which is related to that user story.
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.