Account creation logs the password in plaintext in the error console

VERIFIED FIXED in Thunderbird 66.0

Status

defect
VERIFIED FIXED
5 months ago
4 months ago

People

(Reporter: jorgk, Assigned: BenB)

Tracking

(Blocks 1 bug)

Thunderbird 66.0
Dependency tree / graph

Thunderbird Tracking Flags

(thunderbird_esr6065+ fixed, thunderbird65 fixed, thunderbird66 fixed)

Details

Attachments

(4 attachments)

Reporter

Description

5 months ago
Account creation has very verbose logging since bug 1500105 (or maybe it always had). Although it might not be a security/privacy issue, it's surprising to the user that the password is logged in plaintext.
Flags: needinfo?(ben.bucksch)

Comment 1

5 months ago
I've never seen the information in the Error Console when testing release candidates before bug 1500105 landed.
Reporter

Comment 2

5 months ago
Ben, the sooner we solve this issue, the sooner we can uplift all the "Owl bugs" to beta and ESR.
Assignee

Comment 3

5 months ago
OK, I will get on this today.
Flags: needinfo?(ben.bucksch)
Assignee

Comment 4

5 months ago
I made the mistake to update Gecko and Thunderbird, and Gecko doesn't build on my system anymore. (It worked a few weeks ago, no changes on my side, other than running ./mach bootstrap today.) I've tried twice to no avail. I'll go back to an earlier revision, given that no relevant code changed here.
Assignee

Updated

5 months ago
Assignee: nobody → ben.bucksch
Ben:  do a ./mach bootstap to make it build. There's some configure check missing (known m-c issue) but bootstrapping installs what's needed
Assignee

Comment 6

5 months ago
Yeah, I did that right before building, to no avail. I can try again. Thanks for the help.
Assignee

Comment 7

5 months ago
It seems it was an Gecko upstream bug. I updated again and it builds and runs now.
Assignee

Comment 8

5 months ago
I've had 3 options here:
* Remove the output
  * Simple to implement
  * But I often need information from end users who report that something is not working correctly.
    So, this new debug information here is highly useful.
* Keep the only code, but copy the object, then remove specific properties for password and username
  * Small code change
  * More code in application code
* Create a utility function that outputs a configuration
  * Much nicer output for end users. A lot more compact output on the console (2-5 lines now vs. 25-120 lines before)
    and much better readable, because we can translate enums into words
  * More code overall
  * Safer to ensure that we're not forgetting to remove some values, e.g. in the alternative configs.

Here's the new output (standard case, no alternatives):

Incoming: imap, imap.gmx.net:993, SSL, auth: plain, username: (redacted), pw: not set
Outgoing: smtp, mail.gmx.net:465, SSL, auth: plain, username: (redacted), pw: not set
Reporter

Comment 10

5 months ago
Comment on attachment 9034272 [details] [diff] [review]
Beautify the account config debug output, remove password, v1

Review of attachment 9034272 [details] [diff] [review]:
-----------------------------------------------------------------

Drive-by comment.

::: mail/components/accountcreation/content/accountConfig.js
@@ +260,5 @@
> +      if (!username) {
> +        return "undefined";
> +      }
> +      var domain = username.split("@")[1];
> +      return domain ? "(redacted)@" + domain : "(redacted)";

Is there a need to remove that? Username/domain or full e-mail is visible in the A/M in general. So why suppress it here.
Assignee

Comment 11

5 months ago
It's not strictly necessary, no. But I think Walt or somebody else complained about it. And it makes it easier to send on the debug output anonymously and e.g. pasting it here on bugzilla. The concrete username is rarely relevant for debugging. But the concrete domain is very important.
So, not really necessary, but if I'm already going through all the trouble of privacy-protecting the output, then I might just as well remove this as well.
Comment on attachment 9034272 [details] [diff] [review]
Beautify the account config debug output, remove password, v1

>+    gEmailWizardLogger.info("foundConfig:\n" + config);
Nit: This should be "found config:\n".
Attachment #9034272 - Flags: review?(neil) → review+
Posted patch Fixed nitSplinter Review
Ben isn't around to update the patch today so to save you the trouble of fixing it locally when you check it in I created an updated patch.
Attachment #9034407 - Flags: review+
Reporter

Comment 14

5 months ago
Thanks, Neil, I'll take it from here. Ben, please do *NOT* land yourself, the tree is semi-busted right now.
Keywords: checkin-needed
Target Milestone: --- → Thunderbird 66.0
Assignee

Comment 15

5 months ago
@Jörg: Sure. Thanks!
@Neil: Thanks for the review and nit fix.
Assignee

Comment 16

5 months ago
commit message:
Bug 1516229 - [autoconfig] Beautify the account config debug output, and avoid logging the password - r=Neil
Reporter

Comment 17

5 months ago
Comment on attachment 9034407 [details] [diff] [review]
Fixed nit

I guess you want beta uplift for this together with the other Owl bugs I'll reland for TB 65 beta 2.
Attachment #9034407 - Flags: approval-comm-beta+
Reporter

Updated

5 months ago
Attachment #9034407 - Flags: approval-comm-esr60?
Assignee

Comment 18

5 months ago
> beta uplift for this together with the other Owl bugs I'll reland for TB 65 beta 2.

Yes, indeed, sorry for not setting the flags. Indeed, that was the purpose of this patch, so that the Owl/Exchange patches can land in beta ASAP.
Reporter

Comment 19

5 months ago
I tested this before landing it. I'll take the liberty to change "pw" to "password" here:
username: (redacted)@jorgk.com, pw: set

Also, there's an ugly space after here:
CHOOSING imap mail.server.de:143, auth method 3 , SSL 3
I've tweaked that.

Otherwise it looks great.

Comment 20

5 months ago
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/1cb168d17d1b
[autoconfig] Beautify the account config debug output and avoid logging the password. r=Neil
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Keywords: checkin-needed
Resolution: --- → FIXED
Reporter

Comment 22

5 months ago
Can you please check linting before you submit a patch :-(

$ ../mach eslint mail/components/
c:\mozilla-source\comm-central\comm\mail\components\accountcreation\content\accountConfig.js
  274:22  error  Infix operators must be spaced.  space-infix-ops (eslint)
  275:21  error  Infix operators must be spaced.  space-infix-ops (eslint)
  291:14  error  'config' is already defined.     no-redeclare (eslint)

c:\mozilla-source\comm-central\comm\mail\components\accountcreation\content\emailWizard.js
  42:3  error  Expected space or tab after '//' in comment.  spaced-comment (eslint)

? 4 problems (4 errors, 0 warnings)
Reporter

Comment 23

5 months ago
And all the usage of 'var' shouldn't have passed review :-(

Comment 24

5 months ago
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/49c5d6324673
Follow-up: Fix linting errors. r=me DONTBUILD

I'm still seeing my Username and Passwords in plain text when creating accounts in 65.0b2 on both Windows and Linux.

Build ID: 20190107162308

2019-01-08 21:52:18 mail.setup INFO Initializing setup wizard
2019-01-08 21:52:19 mail.setup INFO Email account setup dialog loaded.
2019-01-08 21:52:19 mail.setup INFO switching to UI mode start
2019-01-08 21:52:20 mail.setup INFO Shutting down email config dialog
2019-01-08 21:53:04 mail.setup INFO Initializing setup wizard
2019-01-08 21:53:04 mail.setup INFO Email account setup dialog loaded.
2019-01-08 21:53:04 mail.setup INFO switching to UI mode start
1547002391416 Telemetry::CoveragePing ERROR no endpoint base set Log.jsm:684
2019-01-08 21:53:39 mail.setup INFO findConfig()
2019-01-08 21:53:39 mail.setup INFO switching to UI mode find-config
2019-01-08 21:53:39 mail.setup WARN spinner start looking_up_settings
2019-01-08 21:53:39 mail.setup INFO status msg: Looking up configuration…
2019-01-08 21:53:39 mail.setup INFO Requesting http://autoconfig.comcast.net/mail/config-v1.1.xml
2019-01-08 21:53:39 mail.setup INFO args.urlArgs=[object]
args.urlArgs.emailaddress=xxxxx@comcast.net
args.headers=[object]
args.headers is empty
args.post=false
args.allowCache=true
args.allowAuthPrompt=false
args.requireSecureAuth=false

2019-01-08 21:53:39 mail.setup INFO Requesting http://comcast.net/.well-known/autoconfig/mail/config-v1.1.xml
2019-01-08 21:53:39 mail.setup INFO args.urlArgs=[object]
args.urlArgs.emailaddress=xxxxx@comcast.net
args.headers=[object]
args.headers is empty
args.post=false
args.allowCache=true
args.allowAuthPrompt=false
args.requireSecureAuth=false

2019-01-08 21:53:39 mail.setup INFO Requesting https://live.thunderbird.net/autoconfig/v1.1/comcast.net
2019-01-08 21:53:39 mail.setup INFO args.urlArgs=[object]
args.urlArgs is empty
args.headers=[object]
args.headers is empty
args.post=false
args.allowCache=true
args.allowAuthPrompt=false
args.requireSecureAuth=false

2019-01-08 21:53:39 mail.setup INFO Requesting https://live.thunderbird.net/dns/mx/comcast.net
2019-01-08 21:53:39 mail.setup INFO args.urlArgs=[object]
args.urlArgs is empty
args.headers=[object]
args.headers is empty
args.post=false
args.allowCache=true
args.allowAuthPrompt=false
args.requireSecureAuth=false

2019-01-08 21:53:39 mail.setup INFO Requesting https://comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:39 mail.setup INFO with body:
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
2019-01-08 21:53:39 mail.setup INFO args.uploadBody=<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
args.post=true
args.headers=[object]
args.headers.Content-Type=text/xml; charset=utf-8
args.username=xxxxx@comcast.net
args.password=xxxxx
args.requireSecureAuth=true
args.allowAuthPrompt=false
args.urlArgs=[object]
args.urlArgs is empty
args.allowCache=true

2019-01-08 21:53:39 mail.setup INFO Requesting https://autodiscover.comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:39 mail.setup INFO with body:
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
2019-01-08 21:53:39 mail.setup INFO args.uploadBody=<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
args.post=true
args.headers=[object]
args.headers.Content-Type=text/xml; charset=utf-8
args.username=xxxxx@comcast.net
args.password=xxxxx
args.requireSecureAuth=true
args.allowAuthPrompt=false
args.urlArgs=[object]
args.urlArgs is empty
args.allowCache=true

2019-01-08 21:53:39 mail.setup INFO Requesting http://autodiscover.comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:39 mail.setup INFO with body:
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
2019-01-08 21:53:39 mail.setup INFO args.uploadBody=<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>xxxxx@comcast.net</EMailAddress>
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
args.post=true
args.headers=[object]
args.headers.Content-Type=text/xml; charset=utf-8
args.username=xxxxx@comcast.net
args.password=xxxxx
args.requireSecureAuth=true
args.allowAuthPrompt=false
args.urlArgs=[object]
args.urlArgs is empty
args.allowCache=true

2019-01-08 21:53:39 mail.setup INFO call 0 took 25ms and failed with local file not found
2019-01-08 21:53:39 mail.setup INFO call 2 took 318ms and succeeded at http://autodiscover.comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:39 mail.setup INFO call 0 took 339ms and succeeded at http://autoconfig.comcast.net/mail/config-v1.1.xml
2019-01-08 21:53:42 mail.setup INFO call 1 took 2382ms and succeeded at https://autodiscover.comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:42 mail.setup INFO call 1 took 2592ms and failed with Not Found at http://comcast.net/.well-known/autoconfig/mail/config-v1.1.xml
2019-01-08 21:53:42 mail.setup INFO call 1 took 2596ms and failed with The config file XML does not contain an email account configuration.
2019-01-08 21:53:42 mail.setup INFO MX query result:
mx1.comcast.net
mx2.comcast.net
(end)
2019-01-08 21:53:42 mail.setup INFO getmx took 2684ms
2019-01-08 21:53:42 mail.setup INFO base domain comcast.net for mx1.comcast.net
2019-01-08 21:53:42 mail.setup INFO call 3 took 2686ms and failed with MX lookup would be no different from domain
2019-01-08 21:53:42 mail.setup INFO call 2 took 2977ms and succeeded at https://live.thunderbird.net/autoconfig/v1.1/comcast.net
2019-01-08 21:53:42 mail.setup INFO status msg: Configuration found in Mozilla ISP database
2019-01-08 21:53:42 mail.setup WARN all spinner stop found_settings_db
2019-01-08 21:53:42 mail.setup INFO found config:
Incoming: imap, imap.comcast.net:993, SSL, auth: plain, username: (redacted), password: not set
Outgoing: smtp, smtp.comcast.net:465, SSL, auth: plain, username: (redacted), password: not set
Incoming alt: imap, imap.comcast.net:143, STARTTLS, auth: plain, username: (redacted), password: not set
Incoming alt: pop3, mail.comcast.net:995, SSL, auth: plain, username: (redacted), password: not set
Incoming alt: pop3, mail.comcast.net:110, STARTTLS, auth: plain, username: (redacted), password: not set
Outgoing alt: smtp, smtp.comcast.net:587, STARTTLS, auth: plain, username: (redacted), password: not set
2019-01-08 21:53:42 mail.setup INFO switching to UI mode result
2019-01-08 21:53:42 mail.setup INFO call 0 took 2978ms and failed with User cancelled at https://comcast.net/autodiscover/autodiscover.xml
2019-01-08 21:53:42 mail.setup INFO call 4 took 2980ms and failed with No valid configs found in AutoDiscover XML
2019-01-08 21:53:42 mail.setup INFO status msg: Configuration found in Mozilla ISP database
2019-01-08 21:53:42 mail.setup WARN all spinner stop found_settings_db
2019-01-08 21:53:42 mail.setup INFO found config:
Incoming: imap, imap.comcast.net:993, SSL, auth: plain, username: (redacted), password: not set
Outgoing: smtp, smtp.comcast.net:465, SSL, auth: plain, username: (redacted), password: not set
Incoming alt: imap, imap.comcast.net:143, STARTTLS, auth: plain, username: (redacted), password: not set
Incoming alt: pop3, mail.comcast.net:995, SSL, auth: plain, username: (redacted), password: not set
Incoming alt: pop3, mail.comcast.net:110, STARTTLS, auth: plain, username: (redacted), password: not set
Outgoing alt: smtp, smtp.comcast.net:587, STARTTLS, auth: plain, username: (redacted), password: not set
2019-01-08 21:53:46 mail.setup INFO Create button clicked
2019-01-08 21:53:46 mail.setup WARN spinner start checking_password
2019-01-08 21:53:46 mail.setup INFO status msg: Checking password…
2019-01-08 21:53:46 mail.setup INFO verify config:
Incoming: pop3, mail.comcast.net:995, SSL, auth: plain, username: (redacted)@comcast.net, password: set
Outgoing: smtp, smtp.comcast.net:465, SSL, auth: plain, username: (redacted)@comcast.net, password: set
Incoming alt: imap, imap.comcast.net:993, SSL, auth: plain, username: (redacted), password: not set
Incoming alt: imap, imap.comcast.net:143, STARTTLS, auth: plain, username: (redacted), password: not set
Incoming alt: pop3, mail.comcast.net:110, STARTTLS, auth: plain, username: (redacted), password: not set
Outgoing alt: smtp, smtp.comcast.net:587, STARTTLS, auth: plain, username: (redacted), password: not set
2019-01-08 21:53:46 mail.setup INFO Setting incoming server authMethod to 3
2019-01-08 21:53:46 mail.setup INFO verifyLogon for server at mail.comcast.net
2019-01-08 21:53:48 mail.setup INFO status msg: Password OK
2019-01-08 21:53:48 mail.setup WARN all spinner stop password_ok
2019-01-08 21:53:48 mail.setup INFO creating account in backend
2019-01-08 21:53:48 mail.setup INFO Shutting down email config dialog

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee

Comment 27

4 months ago

Ah.... I thought this bug was about something else, about the configuration dump.
What you paste here now is the server call log. Yes, I see what you mean. I can easily remove this.
Patch will follow.

Assignee

Comment 28

4 months ago

WaltS, just to confirm, to avoid further round trips:
This here is the only remaining place where you see the password, right?
2019-01-08 21:53:39 mail.setup INFO args.uploadBody=

xxxxx@comcast.net
http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a

args.post=true
args.headers=[object]
args.headers.Content-Type=text/xml; charset=utf-8
args.username=xxxxx@comcast.net
args.password=xxxxx

(As Jörg mentioned, the email address being logged is not a bug per se, as the logs are completely local on your machine only and the email address by definition is something you generally share with the world.)

Assignee

Comment 29

4 months ago

I really don't need this debug output anymore, so removing this without replacement. This should cover the "args" and "body" stuff that WaltS posted.

Attachment #9035220 - Flags: review?(neil)

(In reply to Ben Bucksch (:BenB) from comment #28)

WaltS, just to confirm, to avoid further round trips:
This here is the only remaining place where you see the password, right?
2019-01-08 21:53:39 mail.setup INFO args.uploadBody=

xxxxx@comcast.net
http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a

args.post=true
args.headers=[object]
args.headers.Content-Type=text/xml; charset=utf-8
args.username=xxxxx@comcast.net
args.password=xxxxx

(As Jörg mentioned, the email address being logged is not a bug per se, as the logs are completely local on your machine only and the email address by definition is something you generally share with the world.)

Yes, that's the only remaining place I see the password.

I double checked by creating my Gmail IMAP account and triple checked by creating my Verizon POP3 account in 65.0b2 (build2) on Linux. I also saw the problem testing the 65.0b2 release candidate on Windows 10.

Reporter

Comment 31

4 months ago

Comment on attachment 9035220 [details] [diff] [review]
Remove fetchhttp debug output, v3

Let's steal this review ;-)

Attachment #9035220 - Flags: review?(neil) → review+

Comment 32

4 months ago

Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/948232e82f71
Follow-up: Remove fetchhttp debug output. r=jorgk

Status: REOPENED → RESOLVED
Last Resolved: 5 months ago4 months ago
Resolution: --- → FIXED
Assignee

Comment 33

4 months ago

Thanks, Jörg :)

Assignee

Updated

4 months ago
Assignee

Comment 35

4 months ago

Comment on attachment 9035220 [details] [diff] [review]
Remove fetchhttp debug output, v3

[Approval Request Comment]
User impact if declined:
Password on console
Risk to taking this patch (and alternatives if risky):
Minimal

Attachment #9035220 - Flags: approval-comm-esr60?
Attachment #9035220 - Flags: approval-comm-beta?
Reporter

Comment 36

4 months ago

Comment on attachment 9035220 [details] [diff] [review]
Remove fetchhttp debug output, v3

Already landed on beta, see comment #34.

Attachment #9035220 - Flags: approval-comm-beta? → approval-comm-beta+
Assignee

Comment 37

4 months ago

@WaltS: Can you please verify that this fixes the bug? If so, please mark the bug VERIFIED FIXED. Thank you.

Flags: needinfo?(wls220spring)

I don't see a plaintext password for any of my accounts in the error console using TB Daily 66.0a1 Build ID: 20190112092330 on Linux Mint 19.1.

Status: RESOLVED → VERIFIED
Flags: needinfo?(wls220spring)
Assignee

Comment 39

4 months ago

Thanks for verifying!

Reporter

Updated

4 months ago
Attachment #9034407 - Flags: approval-comm-esr60?
Reporter

Updated

4 months ago
Attachment #9035220 - Flags: approval-comm-esr60?
Reporter

Comment 40

4 months ago

Merged patch including the two follow-ups rebased for ESR 60 from Neil's try run and a few var/let and white-space tweaks to make it more like the beta patch.

Attachment #9037931 - Flags: approval-comm-esr60+
You need to log in before you can comment on or make changes to this bug.