Closed Bug 1600863 Opened 5 years ago Closed 5 years ago

Previously created sessions continue being valid after MFA activation

Categories

(Cloud Services :: Server: Firefox Accounts, enhancement)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Version:
70 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1596121

People

(Reporter: onkarsonawane313, Unassigned)

References

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Firefox for Android

Steps to reproduce:

Hi team,

I found one issue related to your 2FA system on https://accounts.firefox.com/settings/two_step_authentication

POC

1 access the same account on https://accounts.firefox.com/ in two devices
2 on device 'A' go to https://accounts.firefox.com/settings/two_step_authentication > complete all steps to activate the 2FA system

Now the 2FA is activated for this account

3 back to device 'B' reload the page

The session still active
Impact

In this scenario when 2FA is activated the other sessions of the account are not invalidated.

2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again

Ryan, can you take a look? Thanks!

Group: firefox-core-security → cloud-services-security
Component: Untriaged → Server: Firefox Accounts
Flags: needinfo?(rfkelly)
Product: Firefox → Cloud Services

I think this is how we want 2FA activation to work. The alternative would be to require all devices to log-in again after adding 2FA to an account, which would put a lot of pressure on users.

You always have the option to disconnect devices from your account page if that's the desired behavior.

In this scenario when 2FA is activated the other sessions of the account are not invalidated.

2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again

This is currently intentional behaviour, for the reason :ulfr suggests - if we invalidate your existing sessions when enabling 2FA, then all your existing devices would get disconnected from Sync, which is going to be more confusing than helpful.

However, I do see the point that this is unexpected behaviour when it comes to signing in to things on the web.

Personally, I think the ideal scenario would be something like this...if I signed in on device A, then set up 2FA on device B, then:

  • Device A should continue syncing without any action from me.
  • Any FxA RPs that I previously signed in to on Device A should continue to be signed in.
  • Accessing the FxA settings page on Device A should prompt me for 2FA.
  • Connecting any new FxA RPs on Device A should prompt me for 2FA.

Although I can see reasonable people disagreeing on some of the details .

Making all that happen would require a non-trivial rethink of the way our session-handling works in FxA, and it feed into broader conversations we've had around re-prompting for auth when taking certain critical actions on the account. IMHO the current behaviour is a local maximum until we do the work of thinking all that through.

Flags: needinfo?(rfkelly)

(Oh also, since this is intended behaviour, I don't think we need to keep the security flag on this bug unless we have a specific concern to justify keeping it)

In this vulnerability your website sessions are not expired after activation of MFS

Any update?

I don't have anything to add beyond my existing Comment 4 at this time. This is deliberate behavior that we don't consider to be a vulnerability, and should not be eligible for a bug bounty; I would be comfortable making this bug publicly visible.

Still, I appreciate you taking a look and providing this feedback! There are certainly improvements that we could make here, but they're not actively planned at this time and we don't consider them urgent.

Group: cloud-services-security

I'm eligible for bug bounty?

(In reply to Onkar Sonawane from comment #10)

I'm eligible for bug bounty?

Hi Onkar, I've set the flag for review by the bug bounty committee. However, https://bugzilla.mozilla.org/show_bug.cgi?id=1600863#c2 and https://bugzilla.mozilla.org/show_bug.cgi?id=1600863#c4 suggest this is not a vulnerability and working as expected.

Flags: sec-bounty?

Thank You. I'm waiting

This is not eligible for a bounty because it has been previously reported.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.