Closed Bug 1608981 Opened 6 years ago Closed 6 years ago

Blocking of legitimate email hosts from being entered in Sync login screen, pre-populating of illegitimate host instead.

Categories

(Cloud Services :: Server: Firefox Accounts, defect)

Product:
Cloud Services
Component:
Server: Firefox Accounts
Version:
72 Branch
Platform:
Desktop
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: carnold, Unassigned)

References

Details

Attachments

(2 files)

pm.me host being denied by Sync.png
84.83 KB, image/png
Details
gmx.de among list of feasible matches gmx.me was not.png
96.13 KB, image/png
Details

Filing a bug on behalf of a user who is being blocked from using sync.

On a clean profile, he is trying to log in with his credential and being blocked by an autofill prompt attached. (I replicated the error by using the fictional email address nonsense@pm.me When I tried to replicate the bug, I see a list of common email hosts suggested once I type a handle and the "@" mark. If I hit Continue, I see the red prompt he saw suggesting I correct the mail host to "gmx.me"

The list of suggestions for my own email address included (gmail, outlook, hotmail, yahoo, qq, web.de, aol, mail.ru, icloud, gmx, t-online, orange, yandex, yahoo.fr, live, 163, msn, comcast, hotmail.co.uk and hotmail.fr suggested as possible auto suggestion fixes.

The specific user's problem was that pm.me is a legitimate email host. ( gmx.me is not a legitimate email host, thought gmx.net is, even though it's not his email host.)

The specific request of the user is that he not be blocked from entering his legitimate email address when using Proton Mail hosted email addresses, the specific service he uses.

A secondary question may be whether we should use auto-suggest in this field for a clean profile at all if the user hasn't populated it previously. But this question comes from my own personal misunderstanding, which led me to interpret my own user data was being stored on the Sync's servers and suggested to other users.

Image of fake email host suggested in place of a legitimate email host. Autofill may have intended to populate with gmx.de instead of gmx.me which is not an actual email host.

User's actual email host pm.me (Hosted by Proton Mail) was prevented from being used to sign into sync.

GMX.de is a legitimate email host that is in the autofill whitelist. But it is not the service the user was anticipating. GMX.me is not a valid auto-correct for gmx.de.

Group: firefox-core-security → cloud-services-security
Component: Sync → Server: Firefox Accounts
Product: Firefox → Cloud Services

Following our Zoom conversation, I've filed the following on the FxA side:
https://jira.mozilla.com/browse/FXA-934
https://jira.mozilla.com/browse/FXA-935

protonmail.com and pm.me have been added to our auto-complete in https://jira.mozilla.com/browse/FXA-935 and is going out in FxA Train 156.

We will be removing the red error bubbles in train 158 since it is redundant with our auto-complete feature. https://jira.mozilla.com/browse/FXA-934

Thank you Alex! I'll close down this bug. I appreciate your support.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: cloud-services-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: