Closed Bug 1606339 Opened 4 years ago Closed 4 years ago

migrate yahoo users to OAuth2 to deal with Yahoo password login shutdown (DL October 20, 2020)

Categories

(Thunderbird :: Security, defect, P1)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(thunderbird_esr68 wontfix, thunderbird_esr78+ fixed, thunderbird82+ fixed)

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
thunderbird_esr68 --- wontfix
thunderbird_esr78 + fixed
thunderbird82 + fixed

People

(Reporter: worcester12345, Assigned: aleca)

References

Details

(4 keywords)

Attachments

(2 files, 4 obsolete files)

yahoo.txt
1.89 KB, text/plain
Details
1606339-yahoo-oauth2.diff
10.07 KB, patch
aleca
: review+
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr78+
Details | Diff | Splinter Review

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Browse, view, use Yahoo email.

Actual results:

Would come up and ask for password. Yahoo mail unusable after this.

Expected results:

It should have remembered the password.

72.0b2 (64-bit)

Please retest when 75 comes out shortly and post your results.

Flags: needinfo?(worcester12345)
Whiteboard: [closeme 2020-03-15]

(In reply to Wayne Mery (:wsmwk) from comment #2)

Please retest when 75 comes out shortly and post your results.

On version: 74.0b1 (64-bit)

Just checked, and still no update. I thought by "shortly", you meant within hours.

Flags: needinfo?(worcester12345)

75 is available end of last week - it got delayed

Flags: needinfo?(worcester12345)
Whiteboard: [closeme 2020-03-15] → [closeme 2020-03-25]

Just tried it in 75. Still doing it.

Flags: needinfo?(worcester12345)
See Also: → 1615833

Any words of wisdom?

Flags: needinfo?(unicorn.consulting)

Query.....Yahoo. If you are not using up to date settings then Yahoo will block access. So asking for password and then apparently no access sounds normal for yahoo if old settings are being used.

Is this pop or imap mail account?

Is 'Authentication Method' for incoming / outgoing smtp server set as 'OAuth2' ?

I will just have to reiterate ANje's comments. This would be normal for YAhoo following their decision to not support normal password as an authentication method. They insist on oAuth

Flags: needinfo?(unicorn.consulting)

FWIW, imap.mail.yahoo.com:993 works OK for me with normal password and no oauth2. Same for pop.mail.yahoo.com:995.
Reporter, what "Connection security" and "Authentication method" are you using? See Server Setting for yahoo account.

(In reply to Worcester12345 from comment #0)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Browse, view, use Yahoo email.

Actual results:

Would come up and ask for password. Yahoo mail unusable after this.

When you start tb, does yahoo immediately ask for password? Each time you click a folder does it ask again? Can you access any emails? If not, how is it "unusable"?

Expected results:

It should have remembered the password.

If you look in the "Privacy and Security" setting for "Saved Password" do you see anything there for your yahoo account?

But if this can be fix by just using oauth2 authentication, then we won't be doing any fixes as as described in this bug: Bug 1337445

See Also: → 1337445

Does anybody know if there are instructions at official yahoo pages telling you that you need to use OAuth2 now?

They do recommend that you use oauth2 but, AFAICT they don't require it and there is no announcement to discontinue "less secure/3rd Party App" access via TLS and normal password. Matt pointed to this link in Bug 1337445 which is all I can find:
https://help.yahoo.com/kb/SLN27791.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1538409#c16

It is now after the 2nd of March. The option is missing from my settings.

They will continue to offer app passwords "If you use Yahoo two-step verification, Account Key or an older email app, you may need to use an app password to access Yahoo Mail." but that is because there is no secrets for ATT and all the other contracted email provisioning so they can not "enforce" oAuth, they have not figured out how. The server names are not yahoo, so yahoo secrets don't technically apply. Bug 1591782 is my solution for that, but it has zero traction.

From a practical point, it is actually easier to get an ATT customer logging in using yahoo servers and oAuth than it is to explain this whole mail key thing they have to use, so I just accept that Yahoo is something of a mess and tell people that can to use oAuth because it is the method that just works. Bug 1528136 for examples of just how much of a mess offering to many authentication methods can become.

Whiteboard: [closeme 2020-03-25]

So what do we do with this albatross? Duplicate of another bug? Is it even fixable?

Severity: normal → S4
Component: Untriaged → Security

Agree with Matt: the option in yahoo in account section "Allow apps that use less secure sign in" has now been removed as of March 2020. So people using pop may discover they need to generate an app password or change to using imap and use OAuth as it is offered.

Yahoo says the following on various yahoo webpages .
By default, we block access to Yahoo Mail from outdated apps that could leave your account vulnerable.
If you try to use Yahoo Mail in an older email client that uses POP or IMAP, you might get a "Server password has changed" or an "Authentication failed" error message. This is because those email apps use outdated security protocols and we've disabled access to them by default now.
If you use Yahoo two-step verification, Account Key or an older email app, you may need to use an app password to access Yahoo Mail. Just remember, this is "not intended for permanent access"

So I presume the app password works for a while before yahoo block again forcing you to access yahoo webmail and generate a new app password.

If yahoo are blocking and insisting on generated app passwords or Change to imap and preferably using OAuth then I do not see how this can be a bug.

It seems we are discussing an issue without knowing some facts.
Is worchester12345 using pop or imap?
If imap did it work to use OAuth?
If using pop has an app generated password been used instead of normal password ?
says : "Would come up and ask for password. Yahoo mail unusable after this."
So at this point having tried to use Normal password several times, has yahoo locked account because they think someone is trying to access illegally or because not using the method they insist?

I'm not so sure this is a bug.

Note: the issue was initially reported at the same time yahoo blocked and stopped "Allow apps that use less secure sign in"

I am using IMAP.

Worchester12345 -
What are all the server settings you are currently using?
Are you using Authentication Method OAuth?
Is correct password and or Oauth token stored in the Thunderbird Privacy Passwords area?
Are you able to logon to webmail using normal password or have you created a Yahoo Account password (something yahoo are looking to use like google) that you use to logon to yahoo webmail?

FWIW, my yahoo imap test account still seems to work fine with just TLS/SSL and normal password. At least at my locale I see no problems.

Please make a case for not using ANY of these:
ux-consistency, ux-control, ux-efficiency, ux-error-prevention

Keywords: ux-consistency, ux-control, ux-efficiency, ux-error-prevention

I received this from yahoo a few days ago (edited some):

We’ve noticed that you’re using non-Yahoo applications (such as third-party email, calendar, or contact applications) that may use a less secure sign-in method. To protect you and your data, Yahoo will no longer support the current sign-in functionality in your application starting on October 20, 2020. This means that you will need to take one of the steps below to continue using Yahoo Mail without interruption.

But don’t worry, you have options. Find an option that works best for you below:

Option 1: We recommend that you access your email using our free Yahoo Mail app for iOS and Android or simply go to mail.yahoo.com to access Yahoo Mail on the web.

Option 2: Keep your current, non-Yahoo app, BUT follow a few steps to get it to sync with our secure sign-in method. The steps vary across different email applications, but in most cases, you will have to remove your Yahoo account from the app and then add it back again to update the sign-in security. Use the links below to follow the specific steps for your current application:

iOS Mail
Gmail
Samsung Mail
Others

Option 3: You can generate a one-time, unique password that will allow you to sign in to your account using your non-Yahoo email application. Once created, this password will continue to allow your app to securely sync your Yahoo email unless you sign out (or are signed out) from your app. You can find instructions on how to do this here.

If you want more details on these changes, please visit our help page. If you’ve already taken action, we’d like to think you haven’t read this far, but if you have . . . we sure appreciate the diligence!

People seem to be following Option 2 which the yahoo help page then tells the user to delete the account and recreate it. At which point Thunderbird will set it up as imap using OAuth2 as Authentication Method.
But if you a Pop account and follow those instructions it causes a loss of emails which then need to be recovered.

However, it is easier to chnage the incoming and outgoing server settings for Authentication Method to OAuth2 and restart Thunderbird.
This info has been updated in the 'Thunderbird and Yahoo' help article.

(In reply to Anje from comment #21)

People seem to be following Option 2 which the yahoo help page then tells the user to delete the account and recreate it. At which point Thunderbird will set it up as imap using OAuth2 as Authentication Method.
But if you a Pop account and follow those instructions it causes a loss of emails which then need to be recovered.

However, it is easier to chnage the incoming and outgoing server settings for Authentication Method to OAuth2 and restart Thunderbird.
This info has been updated in the 'Thunderbird and Yahoo' help article.

Seems like Option 3 and generating a one-time, unique password would be the best option to me.

(In reply to Anje from comment #21)

People seem to be following Option 2 which the yahoo help page then tells the user to delete the account and recreate it. At which point Thunderbird will set it up as imap using OAuth2 as Authentication Method.
But if you a Pop account and follow those instructions it causes a loss of emails which then need to be recovered.

However, it is easier to change the incoming and outgoing server settings for Authentication Method to OAuth2 and restart Thunderbird.
This info has been updated in the 'Thunderbird and Yahoo' help article.

Thanks! But you mean the TB and yahoo help article on mozilla site.
I wasn't sure if you meant yahoo had updated their article, which they haven't.

(In reply to WaltS48 [:walts48] from comment #22)

Seems like Option 3 and generating a one-time, unique password would be the best option to me.

Except Yahoo app passwords, or whatever you want to call these things, appear to need to be recreated every time Thunderbird offers a new user agent. For some folks, this is every six weeks. At least I am assuming it is the user agent changing Frequent resetting however appears to be the order of the day for those lucky enough to use ATT/Yahoo/AOL. Then there are those that simply can not even grasp the concept of an app password. They have a password and it does not work, they don't read any links they are provided and revel in their technical inability. oAuth is by far the simplest procedure to explain to the technically challenged.

Change this setting to this value in Thunderbird is what they are expecting and it is basically all they are interested in hearing about. Thunderbird is the program they are having issue with so fixing it will occur in Thunderbird and nowhere else.

Let's use this bug to handle auto-upgrading Yahoo users to using OAuth2. The alternatives are pretty bad.
I think we should do a one-time migration (see MailMigrator.jsm). October 20 is pretty near already.

Assignee: nobody → alessandro
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Status: NEW → ASSIGNED
Summary: Yahoo asks for password even though remembered → migrate yahoo users to OAuth2 to deal with Yahoo password login shutdown (DL October 20, 2020)

I started working on this.
Since I'm pretty new to these type of migrations, I'm gonna ask some questions to properly define the scope and action plan for this migration.

I'm planning to add a new method called _migrateAccounts() inside the mailMigrator.jsm file.
This method will have a try/catch for the migrateYahooAccounts() method.
Is this okay or do you prefer to keep using the migrateMailnews() method we grab from MailnewsMigrator.jsm?

I'm gonna loop through all the accounts and check if there's any Yahoo account currently configured.
Do we have a method in place to quickly extract all accounts from a specific provider, or should I simply check for the *.mail.yahoo.com SMTP server string? Is this the safest way to identify Yahoo accounts?

I will check which of those accounts still use POP and move it to IMAP OAuth2, correct?

I saw in the MailnewsMigrator.jsm that we're using a pref Services.prefs.prefHasUserValue(server + "migrated") to flag an account as migrated.
Should I use something similar (eg. "OAuth2Migrated") or we simply use the POP condition as a check?

To proceed with the migration, I have to:

  • Set the auth_method pref to 1
  • Set the useSecAuth pref to true
  • Set the authMethod pref to Ci.nsMsgAuthMethod.secure
    Something else I'm missing?

Should we have any check in place to be sure this type of migration is possible? Like for example simulating a login attempt? I'm worried we might bust a working configuration without letting the user know.

Is there any risk of losing emails for the user by switching from POP to IMAP?

Apologies if some of these questions sound silly.

Flags: needinfo?(mkmelin+mozilla)

What is the proposal for non yahoo yahoo users like ATT, and is it BT or Virgin in the UK. It might ber both. YAhoo are supplying serviced for many "NON" yahoo internet providers. Some in the ATT style where there is yahoo in the server names. Other is is almost transparnet. Other than the use of mailkeys type application password being the current only way.

I filed Bug 1591782 about a year ago to make is a matter for the user to select an oAuth provider. But in this circumstance here folks are largely going to be left for support of sort out as ther is no simple fix to auto update, not is there an option to even use oAuth.

I will check which of those accounts still use POP and move it to IMAP OAuth2, correct?

I may have missed it but I've seen nothing from Yahoo about POP going away. I think POP3 can just use OAUTH2 too just like IMAP. It would be pretty surprising for a user's POP3 account to automatically switch over to IMAP.

Also, not sure an auto-upgrade is a good idea. It's pretty simple to just change your existing tb yahoo account from Authentication Method "Normal Password" to "Oauth2". Then when you access a yahoo folder the next time a page pops up to entered your credentials which seems to be the same id and password you were using before (was for me). This was after receiving a couple "it's going away" emails like in comment 20 above.

Attached file yahoo.txt

The attachment is a copy of the text of the notification email I received on my POP account with Yahoo. It talks of the removal of my current sign in method, not the pop protocol.

What is very concerning is the advice Yahoo is offering in the link included in the mail.
https://au.help.yahoo.com/kb/new-mail-for-desktop/SLN27791.html?impressions=true#others
Go to Tools | Account Settings.
Select your account in the list.
Go to Account Actions at the bottom left.
Click Remove Accounts.
Click Add Accounts and type in the email address and password.
- Thunderbird will then automatically activate the secure sign-in method for your account.

If they do that they will loose data. For the Moment I will add a note to the KB article they link to, but perhaps we can organise for someone to reach out to yahoo to correct their rather poor advice.

I may have missed it but I've seen nothing from Yahoo about POP going away. I think POP3 can just use OAUTH2 too just like IMAP. It would be pretty surprising for a user's POP3 account to automatically switch over to IMAP.

Sorry, my bad, I misread some previous comments, thanks both for the clarification.
Yay for me for writing down everything before coding.

(In reply to Alessandro Castellani (:aleca) from comment #26)

I started working on this.
Since I'm pretty new to these type of migrations, I'm gonna ask some questions to properly define the scope and action plan for this migration.

I'm going to attach a pseudo code for what I'd think needs doing

Should we have any check in place to be sure this type of migration is possible? Like for example simulating a login attempt? I'm worried we might bust a working configuration without letting the user know.

I don't think that's feasible. There should be no case where they can't use OAuth2, but they won't be able to use normal passwords in the future. There will be users who want to use an app-password, but as described above, that will just cause them to keep breaking. We only do this migration once, so if they change it back to password after that they are on their own.

Is there any risk of losing emails for the user by switching from POP to IMAP?

We don't change the account type, only the auth method.

Flags: needinfo?(mkmelin+mozilla)

Something like this, expanded.
Also please add a test, https://searchfox.org/comm-central/search?q=MailMigrator.jsm&path=
(for how to create a server, the MailnewsMigrator.jsm tests have some code to grab.)

Attachment #9177822 - Attachment is patch: true

Info:
I have updated the 'Thunderbird and Yahoo' Help Article with advice and it is live.
https://support.mozilla.org/en-US/kb/thunderbird-and-yahoo#w_important-changes-to-authentication-method-notice

Yahoo help website redirects users to this page https://support.mozilla.org/en-US/kb/automatic-account-configuration
I have edited this with a note for Yahoo users redirecting them to information at the former mentioned Help Article.
It is currently pending review and approval.

The advice is how to change Authentication Method to OAuth.

I have been successfully guiding/advising people in Support Forum in changing the Authentication Method and that includes POP and IMAP to OAuth. Some POP users had already deleted accounts and required help in recovering emails due to Yahoo's advice.

Attached patch 1606339-yahoo-oauth2.diff (obsolete) — Splinter Review

Here's a WIP patch with a couple of questions:

For SMTP, is doing smtpServer.value.authMethod = Ci.nsMsgAuthMethod.OAuth2; enough to update the setting?
Or should I create a new SMTP with MailServices.smtp.createServer(); like is done here? https://searchfox.org/comm-central/rev/47f36ea27d8278aa75ce1b9c11c1106f3b191c73/mail/components/accountcreation/content/createInBackend.js#150

Also please add a test.

Sure

Attachment #9177822 - Attachment is obsolete: true
Attachment #9177935 - Flags: feedback?(mkmelin+mozilla)

Doing smtpServer.authMethod = Ci.nsMsgAuthMethod.OAuth2 will likely be enough. At least we don't need to create a new server.

Attached patch 1606339-yahoo-oauth2.diff (obsolete) — Splinter Review

Ready for a full review.

Attachment #9177935 - Attachment is obsolete: true
Attachment #9177935 - Flags: feedback?(mkmelin+mozilla)
Attachment #9177991 - Flags: review?(mkmelin+mozilla)
Comment on attachment 9177991 [details] [diff] [review]
1606339-yahoo-oauth2.diff

Review of attachment 9177991 [details] [diff] [review]:
-----------------------------------------------------------------

::: mail/base/modules/MailMigrator.jsm
@@ +515,5 @@
> +          // Change Incoming server to OAuth2.
> +          account.incomingServer.authMethod = Ci.nsMsgAuthMethod.OAuth2;
> +
> +          // Change Outgoing SMTP server to OAuth2.
> +          for (let identity of account.identities) {

Incoming and outgoing do not necessarily go together so there's two errors here:
 * you need to loop the smtp servers for all accounts, not just the yahoo ones
 * you need to check that the smtp servers are really yahoo. E.g. it could be semi common that someone uses yahoo for incoming, but an ISP (or what do I know) Google for SMTP. 

It would be good to test the above.
Attachment #9177991 - Flags: review?(mkmelin+mozilla) → review-
Attached patch 1606339-yahoo-oauth2.diff (obsolete) — Splinter Review

Thanks for the info about the different servers configuration.

I updated the tests to run through 4 accounts with different configurations, and after the migration I'm also checking if the servers not related to Yahoo haven't been touched.

Attachment #9177991 - Attachment is obsolete: true
Attachment #9178317 - Flags: review?(mkmelin+mozilla)
Comment on attachment 9178317 [details] [diff] [review]
1606339-yahoo-oauth2.diff

Review of attachment 9178317 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thx! r=mkmelin

::: mail/base/test/unit/test_yahoo_oauth_migration.js
@@ +217,5 @@
> +
> +  // Remove our test accounts to leave the profile clean.
> +  for (let account of gAccounts) {
> +    MailServices.accounts.removeAccount(account);
> +  }

I think you should probably also loop through the smtps and clean them up (deleteServer)
Attachment #9178317 - Flags: review?(mkmelin+mozilla) → review+
Target Milestone: --- → 83 Branch

Good call, thanks.
I launched a try-run to be sure everything runs properly: https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=0f6647f473b6e38b622715b24317c02fe6facc9b

Attachment #9178317 - Attachment is obsolete: true
Attachment #9178787 - Flags: review+
Keywords: checkin-needed-tb

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/99bf29eae8f6
Migrate Yahoo users to OAuth2 to deal with Yahoo password login shutdown. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

I'm not completely sure about this, but it looks like Yahoo mailboxes could be used internationally with different country codes in the URL in the past?

It was previously possible with a password login that the accounts were used with pop3.mail.yahoo.de, for example. In the support forums, however, it is now apparent that when switching to OAuth2, the * .com domain must apparently be used: pop3.mail.yahoo.com

The same is probably true for IMAP.

This could have been relevant to the migration offered here.

The latest Code revsion, doesn't handle other domains than mail.yahoo.com at all. So probably all users with international country codes in domain will not be supported by this migration.

But as I said, I'm not quite sure whether it was officially possible with the * .de URLs at all, or whether these were unsuccessful attempts by the users from the start.

Those are unfortunately quite more complex. Has yahoo announced anything about those domains? pop3.mail.yahoo.de doesn't seem to exist at all (can't even ping it). Nor does pop3.mail.yahoo.com

OAuth2 can only be used with imap.mail.yahoo.com, pop.mail.yahoo.com and smtp.mail.yahoo.com.

Example: I've currently got someone with imap.correo.yahoo.es and smtp.correo.yahoo.es in support forum which does not offer the OAuth option.
I'm enquiring as to whether he can also use the standard imap.mail.yahoo.com and smtp.mail.yahoo.com to access mail.

(In reply to Magnus Melin [:mkmelin] from comment #43)

pop3.mail.yahoo.de doesn't seem to exist at all (can't even ping it). Nor does pop3.mail.yahoo.com

Sorry, I meant pop.mail.yahoo.de / pop.mail.yahoo.com

Comment on attachment 9178787 [details] [diff] [review]
1606339-yahoo-oauth2.diff

[Approval Request Comment]
User impact if declined: yahoo users can't access mail
Testing completed (on c-c, etc.): on c-c
Risk to taking this patch (and alternatives if risky): has automated test. Shouldn't be risky, but should be relnoted.

Attachment #9178787 - Flags: approval-comm-esr78?
Attachment #9178787 - Flags: approval-comm-beta?

Comment on attachment 9178787 [details] [diff] [review]
1606339-yahoo-oauth2.diff

[Triage Comment]
Approved for beta

Attachment #9178787 - Flags: approval-comm-beta? → approval-comm-beta+

Is there a decision about the other companies related to Verizon (AOL, ATT). Do we migrate them, too?

I've seen no statement from them that they are affected. Are they?
We can only migrate users who use the yahoo servers specified in our code: https://searchfox.org/comm-central/rev/0af59a692f43286cbc0d239cafd250e33c4582ec/mailnews/base/src/OAuth2Providers.jsm#27-29 because only those would actually work with OAuth2.

If they use those, users will get migrated and things should work.

(In reply to Alex Ihrig [:Thunderbird_Mail_DE] from comment #48)

Is there a decision about the other companies related to Verizon (AOL, ATT). Do we migrate them, too?

When I recently setup my AOL IMAP account in Thunderbird it used OAuth2 as the Authentication method.

I did get an email reminder on Oct. 6th that my accounts security is out of date and needs my attention before the 20th. The original notice was dated 08/25.

If OAuth2 isn't a supported current sign-in functionality, it is not a major account for years, so I'm going to see what happens after the 20th.

I had a Yahoo account years ago which I canceled when they were hacked.

(In reply to WaltS48 [:walts48] from comment #51)

If OAuth2 isn't a supported current sign-in functionality, it is not a major account for years, so I'm going to see what happens after the 20th.

It is supported by Thunderbird. And if it works with AOL at the moment, then it will still do so after the 20th.

(In reply to Magnus Melin [:mkmelin] from comment #49)

I've seen no statement from them that they are affected. Are they?

I guess not! ATT users have not had access to that setting for years. They have to use the equivalent of an app password created on the web site because they can not use a password and have no access to the oAuth process. I have been asking for something for them for a long time. Did anyone ask if these folks want to stop using their app password?

It is now clear they are offering the same dud advice to their AOL users. https://support.mozilla.org/en-US/questions/1308150

We are going to do something "soon" but users have already been notified to delete their mail and complain in support at Thunderbird.

I couldn't find an announcement online, but there is https://help.aol.com/articles/allow-apps-that-use-less-secure-sign-in
Did someone get an email about it and is the date the same? Should we just go ahead and migrate aol.com users too?

For this bug too it's a bit of a rush to get it into 78 if they really are cutting access of Oct 20.

Getting out for 78 is less of an issue than getting users updated from 68 - that bit won't finish by Oct 20. But if users are able to update manually then at least they have an option.

Should this be added to a KB article?

Severity: S4 → S2
status-thunderbird_esr68: --- → wontfix
Flags: needinfo?(unicorn.consulting)

(In reply to Magnus Melin [:mkmelin] from comment #55)

I couldn't find an announcement online, but there is https://help.aol.com/articles/allow-apps-that-use-less-secure-sign-in
Did someone get an email about it and is the date the same? Should we just go ahead and migrate aol.com users too?

For this bug too it's a bit of a rush to get it into 78 if they really are cutting access of Oct 20.

I added my AOL account which I have had for decades and hardly use to my Thunderbird's in June.
Set it up as an IMAP account with OAuth2 authentication.
Got the "Important security notice for your AOL account" on 8/25.
Got another one on 9/14.
Got "Important: Your account security is out of date" email on 10/6.

Waiting to see what happens.

Blocks: 1670892

Comment on attachment 9178787 [details] [diff] [review]
1606339-yahoo-oauth2.diff

[Triage Comment]
Approved for esr78

Attachment #9178787 - Flags: approval-comm-esr78? → approval-comm-esr78+

@Wayne, added or not to a kb article does not fix the most difficult issue. Yahoo/AOL advising POP users to remove their account. This leads to data loss and just looks bad for Thunderbird. I think we need someone from Mzla to reach out to Yahoo and explain what their advice really means and ask them to update their user support acticle asking the user to update authgentication method, not remove the account.

Flags: needinfo?(unicorn.consulting)

What is the intended behavior when someone open Thunderbird after this update? I had something unexpected happen, where it asked for passwords, and emailed another account asking for passwords. If I were not following this bug, I would have just closed everything down as if it were some sort of phishing scheme. If this is this bug in the real world, it looks very suspicious. Maybe a new bug, that puts up a Thunderbird window telling that this is going to happen first.

If someone were using Yahoo via password login, they would now be migrated to OAuth2. That means when authentication is requested the OAuth2 window will pop up. If you close that window you'll get an "authentication failed". The window will pop open next time authentication is requested again, so I don't think there's too much room mess up.

Is it a Thunderbird window, or a browser window? It did not look like a Thunderbird window, which is why I am asking. Will people be disconnected from their email if they are not sure and refuse this? Do you have a screenshot of the expected behavior?

At the prompt by Yahoo, you logon to prove you really are you and to allow Yahoo to create a token that is stored in Thunderbird. Yahoo do this via a browser and it requires you to allow cookies in Thunderbird. If you need help please ask a question in the Thunderbird Help Support Forum.

(In reply to Matt from comment #60)

@Wayne, added or not to a kb article does not fix the most difficult issue. Yahoo/AOL advising POP users to remove their account. This leads to data loss and just looks bad for Thunderbird. I think we need someone from Mzla to reach out to Yahoo and explain what their advice really means and ask them to update their user support article asking the user to update authentication method, not remove the account.

I guess that would be Magnus or Ryan.

Flags: needinfo?(ryan)
Flags: needinfo?(mkmelin+mozilla)

The "browser window" is part of Thunderbird, you can check a screenshot in bug 1671809. If you don't log in it's the same as not providing your password when asked - you then can't connect.

I don't know who to contact. But with this patch in place users shouldn't have to do anything, except logging in again.

Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(ryan)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: