Closed
Bug 1418223
Opened 7 years ago
Closed 7 years ago
Use the decrypted credit card number to search duplicate records in the storage if master password is disabled
Categories
(Toolkit :: Form Autofill, enhancement, P5)
Toolkit
Form Autofill
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox59 | --- | fixed |
People
(Reporter: lchang, Assigned: lchang)
Details
Attachments
(1 file)
Since we don't want the master password dialog to show up before any credit card doorhanger, currently we only use the last 4 digits of the credit card number to search if there's any duplicate record in the storage. It results in that no doorhanger shows up if the incoming record contains a number whose last 4 digits are identical to one of the records in the storage. This issue can be mitigated by decrypting the number before comparing when we're sure no master password dialog will be involved.
Assignee | ||
Comment 1•7 years ago
|
||
On a second thought, I think maybe we shouldn't use the decrypted credit card number to search duplicate records when master password is enabled (even it's logged in already) as it might put the credit card number at risk. For example, when Firefox has logged in the master password, someone else can brute-force trying your credit card number by checking if doorhanger appears without having any idea of your master password. Therefore, I changed the title to only use decrypted number to compare numbers when the master password is disabled.
Summary: Use the decrypted credit card number to search duplicate records in the storage if master password has been logged in → Use the decrypted credit card number to search duplicate records in the storage if master password is disabled
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → lchang
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Status: NEW → ASSIGNED
Comment hidden (mozreview-request) |
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8931254 [details] Bug 1418223 - Use the decrypted credit card number to search duplicate records in the storage if master password is disabled. https://reviewboard.mozilla.org/r/202392/#review208800 ::: browser/extensions/formautofill/ProfileStorage.jsm:1665 (Diff revision 2) > let isDuplicate = this.VALID_FIELDS.every(field => { > if (!clonedTargetCreditCard[field]) { > return !creditCard[field]; > } > - if (field == "cc-number") { > + if (field == "cc-number" && creditCard[field]) { > + if (MasterPassword.isEnabled) { How about `if (MasterPassword.isEnabled && !MasterPassword.isLoggedIn)` so we can compare full number if it's logged in already? ::: browser/extensions/formautofill/test/unit/test_creditCardRecords.js:560 (Diff revision 2) > + let token = tokendb.getInternalKeyToken(); > + token.reset(); > + token.initPassword("password"); > + do_check_eq(profileStorage.creditCards.getDuplicateGuid(record), guid); > + > + // ... Even though the master password is enabled and the last 4 digits are the I'm not sure why this test would work cause I didn't see we handle the invalid number in the `getDuplicateGuid`
Attachment #8931254 -
Flags: review?(schung)
Assignee | ||
Comment 5•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8931254 [details] Bug 1418223 - Use the decrypted credit card number to search duplicate records in the storage if master password is disabled. https://reviewboard.mozilla.org/r/202392/#review208800 > How about `if (MasterPassword.isEnabled && !MasterPassword.isLoggedIn)` so we can compare full number if it's logged in already? I'm on purpose not to use `!MasterPassword.isLoggedIn` to avoid potential risks. See comment 1 for details. > I'm not sure why this test would work cause I didn't see we handle the invalid number in the `getDuplicateGuid` Because the incoming record will be normalized and invalid numbers will be deleted. This test should pass without this patch but I want to ensure it won't be broken in the future.
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8931254 [details] Bug 1418223 - Use the decrypted credit card number to search duplicate records in the storage if master password is disabled. https://reviewboard.mozilla.org/r/202392/#review208838
Attachment #8931254 -
Flags: review+
Comment hidden (mozreview-request) |
Pushed by lchang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c5bc80ce386c Use the decrypted credit card number to search duplicate records in the storage if master password is disabled. r=steveck
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c5bc80ce386c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in
before you can comment on or make changes to this bug.
Description
•