Closed Bug 1534922 Opened 1 year ago Closed 9 months ago

Can't recover egencia password because content blocking blocks the captcha

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: emilio, Assigned: englehardt)

References

(Blocks 2 open bugs)

Details

Console shows:

The resource at “https://api-expedia.nd.nudatasecurity.com/2.2/w/w-581069/sync/js/” was blocked because content blocking is enabled.
password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=VIDEO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
password
All candidate resources failed to load. Media load paused. password
The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.
Assignee: nobody → senglehardt

STR: Go to https://www.egencia.com/auth/v1/forgot/password
Expected: The middle box shows 4 moving characters that you need to enter for a captcha
Actual: The middle box shows the static string "NuCaptcha Media"

nudatasecurity.com matches the following features according to about:url-classifier:

fingerprinting
List of tables: base-fingerprinting-track-digest256

tracking-protection
List of tables: base-track-digest256

tracking-annotation
List of tables: base-track-digest256

So this is blocked by cookie restrictions, tracking protection, and fingerprinting blocking. If I visit the site only with cookie restrictions enabled, I do see the four captcha characters. I'm not able to verify whether the password reset works in this condition, as my egencia account doesn't have a password (i.e., is locked to Mozilla's SSO).

Regardless, this will still be broken in private browsing mode (due to TP) and with FP blocking. Assuming the reset works with cookie restrictions, we can move this domain to the "Content" category and consider redefining the base-fingerprinting list to exclude domains in the "Content" category.

Type: enhancement → defect
Priority: -- → P2

This appears to have been fixed by Egencia. The captcha content is now served from a first-party domain.

We still see The resource at “https://api-expedia.nd.nudatasecurity.com/2.2/w/w-581069/sync/js/” was blocked because content blocking is enabled., but the other URL from comment 0:

The resource at “https://api-us-west-2.nd.nudatasecurity.com/1.0/w/3.44.84921/w-581069/captcha?type=AUDIO&lang=eng&index=0&token=1.w-581069.1.2.lJPIqRQtZXzPRZ6tIqRWfQ,,.T02yj0pCSP2kV-ylgtiTGDwWbp1uvJ5fr2cpqEYPY8p_k7WMrtIXMPLrukxntZe_lhhas81_JpGbWAoYsvvzcrfY4_pebeLXzp6hkG3ALo_ehbuL6V7ADT0uIY3fPQWx0DqRUc_YNghnt7xpUUII9re1F3mD51oOEipT8kRIbHxFcp-B6JAc2DR5ZkKtdcqAsa6PF55rz2QL-6qh_jfNMvFGkzMnLz_rZ_LCqOKbR5ukrQeSbdpEBAWFE5zQ0S_bqbagGAvwl56sXxBdZ6Y7iL6IiZ7PfDOlCRQRTCPnp3tLtKC1y0lnUXQTTBjLIBSm-Whr_Aq0ld9iSbZGsPyh8bDrTAbG6ey75f4HtbjZUi08fDWvtwUWTn5JRlP3AYfN&r=rs-jPlBmoay3Y5kLc9rxo0Jpwxx&ptype=SCRIPT” was blocked because content blocking is enabled.

is now served first-party:

https://www.egencia.com/captcha/1.0/w/3.44.84921/w-581069/captcha?type=VIDEO&lang=eng&index=0&token=1.w-581069.1.2.iIB0wKxEnqB5zT8d_vfYAg,,.i0w9eaRoXDQ5YSyElmc-wU_4hgVg3-U1r6EfTpoT_1a7lIpfKpbZwpOJ8TRky-mdANypYPUvsoSey8LETOSbt8fOKPhHGtUiElahIddsH7eDRH_aT8U-eBU9DC6m_WW63_ZBg3Lc2qu-Z-1zuMjTT-9JCOLphuTlnaLfGIcGlMiyosgStvzu0r4JJPDmPe9qRTcK6rCVOlcN2RPr1-azk1YeF1LGtFOt6-imLY76gsr706fklJdwpS2-jq5Z68SeSXUU76JuUI0fWIV6r5A6pY8IAMM8YKmwkS_bOSux81DK2XDDsDcgfxfxmzm1NZERbFO2DDwRrjU5UQjUBGae8tQa7u5hB3xcTsHapKvIqRoyfEqsI5NALtaWeHNqurHu&r=rs-x4HbhMsZWd19CyeMf8ztUAxx&ptype=SCRIPT

I can get through the initial screen, but as I stated in Comment 1, our SSO prevents me from actually doing a full password reset.

My concern now is whether this was an action taken specifically by egencia or something that nudatasecurity is requiring all first parties to do. We should look at other sites that embed nudatasecurity and check to see if their captchas load.

See Also: → 1590067

Closing this as fixed since the breakage is no longer present on egencia.

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
See Also: → 1599124
You need to log in before you can comment on or make changes to this bug.