Closed Bug 1602844 Opened 5 years ago Closed 3 years ago

FxA ID is unhashed in telemetry on iOS

Categories

(Lockwise Graveyard :: Security, defect, P1)

Product:
Lockwise Graveyard
Component:
Security
Platform:
x86_64
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: ddurst, Assigned: kgalway)

Details

(Keywords: csectype-disclosure, privacy, sec-other)

FxA ID is unhashed at https://github.com/mozilla-lockwise/lockwise-ios/blob/master/Shared/Action/TelemetryAction.swift#L129 -- so that needs to go away.

The bad news is that this unhashedness has been around for a year. The good news is that we're not using it, and it can't correlate to anything on the server side (which is hashed).

This will be obviated by Account Ecosystem Telemetry, which should be coming soon, as we're getting Glean right now, so this is a note to remove that unhashed ID in the next release (rather than to hash it and leave it there).

We'll file another bug to clean the data (and handle the incoming stragglers after this update).

Confirmed with agray that we can null the field retroactively since the implementation of the collection -- rather than the collection in itself -- was the error.

Lockwise deprecated 12/13/2021. Closing bug as INCOMPLETE
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.