Closed Bug 1584915 Opened 5 years ago Closed 5 years ago

Firefox Monitor FAQs should not ask user to check sender address

Categories

(support.mozilla.org :: Knowledge Base Content, task)

Product:
support.mozilla.org
Component:
Knowledge Base Content
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: johannh, Unassigned)

Details

As noted in bug 1574197:

https://support.mozilla.org/en-US/kb/firefox-monitor-faq?as=u&utm_source=inproduct

Check the email address in the sender's field. Firefox Monitor emails will always come from breach-alerts@mozilla.com.

That seems like really bad advice. It is trivial to spoof the sender of an email.

I'm not sure what the exact threat model for spoofed monitor emails is, so take my advice with some caution, but I presume the biggest issue could be pretend "breaches" that lead to sites that ask you to verify your email and password in order to see if they were "really breached". In this case it's probably a better idea to call out that we will never ask for passwords or other personal information (apart from the initially entered email address) and that users should always make sure that links from these emails really lead to "monitor.firefox.com" directly. In doubt it is always better to type "monitor.firefox.com" in your address bar.

Flags: needinfo?(jsavage)
Summary: Firefox Monitor FAQs should not ask user to check email address → Firefox Monitor FAQs should not ask user to check sender address

Revised FAQ copy has been sent to the SUMO team, will update here once the content is live.

The article was updated so closing out this bug.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jsavage)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.