Can't recover egencia password because content blocking blocks the captcha
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
People
(Reporter: emilio, Assigned: englehardt)
References
(Blocks 2 open bugs)
Details
Console shows:
The resource at “https://api-expedia.nd.nudatasecurity.com/2.2/w/w-581069/sync/js/” was blocked because content blocking is enabled.
password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=VIDEO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 1•6 years ago
|
||
STR: Go to https://www.egencia.com/auth/v1/forgot/password
Expected: The middle box shows 4 moving characters that you need to enter for a captcha
Actual: The middle box shows the static string "NuCaptcha Media"
nudatasecurity.com matches the following features according to about:url-classifier:
fingerprinting
List of tables: base-fingerprinting-track-digest256
tracking-protection
List of tables: base-track-digest256
tracking-annotation
List of tables: base-track-digest256
So this is blocked by cookie restrictions, tracking protection, and fingerprinting blocking. If I visit the site only with cookie restrictions enabled, I do see the four captcha characters. I'm not able to verify whether the password reset works in this condition, as my egencia account doesn't have a password (i.e., is locked to Mozilla's SSO).
Regardless, this will still be broken in private browsing mode (due to TP) and with FP blocking. Assuming the reset works with cookie restrictions, we can move this domain to the "Content" category and consider redefining the base-fingerprinting list to exclude domains in the "Content" category.
|
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
This appears to have been fixed by Egencia. The captcha content is now served from a first-party domain.
We still see The resource at “https://api-expedia.nd.nudatasecurity.com/2.2/w/w-581069/sync/js/” was blocked because content blocking is enabled., but the other URL from comment 0:
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
is now served first-party:
https://www.egencia.com/captcha/1.0/w/3.44.84921/w-581069/captcha?type=VIDEO&lang=eng&index=0&token=1.w-581069.1.2.iIB0wKxEnqB5zT8d_vfYAg,,.i0w9eaRoXDQ5YSyElmc-wU_4hgVg3-U1r6EfTpoT_1a7lIpfKpbZwpOJ8TRky-mdANypYPUvsoSey8LETOSbt8fOKPhHGtUiElahIddsH7eDRH_aT8U-eBU9DC6m_WW63_ZBg3Lc2qu-Z-1zuMjTT-9JCOLphuTlnaLfGIcGlMiyosgStvzu0r4JJPDmPe9qRTcK6rCVOlcN2RPr1-azk1YeF1LGtFOt6-imLY76gsr706fklJdwpS2-jq5Z68SeSXUU76JuUI0fWIV6r5A6pY8IAMM8YKmwkS_bOSux81DK2XDDsDcgfxfxmzm1NZERbFO2DDwRrjU5UQjUBGae8tQa7u5hB3xcTsHapKvIqRoyfEqsI5NALtaWeHNqurHu&r=rs-x4HbhMsZWd19CyeMf8ztUAxx&ptype=SCRIPT
I can get through the initial screen, but as I stated in Comment 1, our SSO prevents me from actually doing a full password reset.
My concern now is whether this was an action taken specifically by egencia or something that nudatasecurity is requiring all first parties to do. We should look at other sites that embed nudatasecurity and check to see if their captchas load.
|
|
Assignee | |
Comment 3•5 years ago
|
||
Closing this as fixed since the breakage is no longer present on egencia.
Description
•