Logging into an account can imply sync without explicit confirmation
Categories
(Firefox :: Sync, defect)
Tracking
()
People
(Reporter: yoshi, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Steps to reproduce:
Tried to send a tab from my desktop Firefox to my laptop.
-
Read help for "send to device"
-
Sign up for an Firefox account on the desktop.
-
Log into the new account on the laptop.
-
"Send to device" in the context menu of the tab.
Actual results:
Firefox syncs automatically bookmarks, addons and likely history without any warning. This is a potential privacy problem, in my case I have now additional Manjaro bookmarks in my bookmarks toolbar on the desktop, however synced information appearing on a work laptop may be more problematic, e.g. if private search keywords appear during a work meeting.
Expected results:
The "send to device" should have queried for the sync preferences, or at least given a warning that it will sync even though the user only requested an action on a specific tab.
|
||
Comment 1•5 years ago
|
||
I'm not super familiar with the flow here (and there are some details missing in comment #0 in terms of where/how sign-in / sign-up happened), so I can't confirm whether or not this is a valid bug. However, taking comment #0 at face value, this would be a potential privacy issue - but I don't think it's an exploitable security issue (if an attacker has your account credentials, you've already lost!), so I'm unhiding the bug. I'll move it over to the accounts component so people who know this stuff better can take a more detailed look.
|
||
Comment 2•5 years ago
|
||
I'm moving this into the Firefox Sync component. There are a few known edge cases that can result in a "surprise syncing" experience that the team is currently working on resolving. In the near-term, Joerg, you can go to about:preferences#sync in your browser and configure your sync preferences for your account.
|
||
Comment 3•5 years ago
|
||
(In reply to Joerg Kulbartz from comment #0)
- Sign up for an Firefox account on the desktop.
Can you please tell us more about exactly how you did this? All of the entry points to do this try and make it clear that you are actually signing in to "sync" and try and explain what "sync" is. We might not do a great job at that, so I'd like to better understand what happened to see how we can improve it.
Also, if you are creating a new account, then you should have been asked exactly what you want to sync. Unfortunately, if you just signed in to an account that was created for a reason other than sync (eg, for addons.mozilla.org), then we would not have asked you - which is something we plan fixing this quarter, but it would be great to know if you already had an account, and if so, how you created it, before you struck this.
Thanks!
|
Reporter | |
Comment 4•5 years ago
|
||
I'm afraid I didn't keep comprehensive notes. From what I can reconstruct now, I believe I went from a tab context menu point "Send Tab to Device"->"Learn About Sending Tabs" to
and there I clicked on create account. Then I discovered that the timeout from the confirmation email is shorter than the timeout for the greylisting on my mail server. (The confirmation mail token has only a 5 minute time out, and my server is set to 30 minutes.) Because of that, I had trigger resending a confirmation code several times. (I got four mails, I am not sure why I didn't recognize it immediately as a greylisting issue.)
Then I copied the confirmation code, and went back to whatever I had started in the mean time. Judging from the mails informing me of a new sign-in, half an hour later returned to the sending tabs project, I signed in my desktop, laptop and then just clicked on "Send Tab to Device."
So no, I didn't use an existing account.
For technical information, this is Firefox on Archlinux, and I have NoScript, Disconnect, Cookie AutoDelete and Decentraleyes installed. (As well as RES, Wayback Machine, HTTPS Everywhere and Greasemonkey (that one should not have a script active on Mozilla domains though)).
|
||
Comment 5•5 years ago
|
||
The priority flag is not set for this bug.
:markh, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 6•5 years ago
|
||
Sorry for the delay in getting back to you. I see what happened here:
(In reply to Joerg Kulbartz from comment #4)
and there I clicked on create account.
That link is a bit unfortunate - it creates an account, but doesn't actually configure the Firefox used to create it in any way (either for Sync or for "send tab"). Most account creation flows will ask you what you want to Sync, where you have the opportunity to decline - but this "vanilla" one doesn't.
then:
I signed in my desktop, laptop and then just clicked on "Send Tab to Device."
So here you already had an account - and sadly, this flow assumes you were asked what to sync at account creation time, doesn't find any evidence you declined, so goes ahead and enables sync.
We do realize this is a huge issue and we are tackling this in bug 1572344 - while there isn't much evidence there that it's a priority, it is something we will be working on in the next month or so, and have already begun detailed planning.
So please accept our apologies - I agree that automatically syncing is a very bad look - and I hope we will have this fixed in the next month or 2. In the meantime I'm going to close this as a dupe of that.
Description
•