Closed Bug 1626535 Opened 4 months ago Closed 4 months ago

The vulnerable logins are sometimes not marked as vulnerable after syncing logins or adding outside about:logins without refreshing the page

Categories

(Firefox :: about:logins, defect, P1)

Desktop
All
defect

Tracking

()

VERIFIED FIXED
Firefox 76
Tracking Status
firefox76 --- verified

People

(Reporter: srosu, Assigned: jaws)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

[Affected versions]:

  • Nightly 76.0a1 (Build ID: 20200331225823)

[Affected Platforms]:

  • Windows 10 x64
  • Mac 10.14.6
  • Ubuntu 18.04 x64

[Prerequisites]:

  • Have a Firefox Account with at least 2 saved logins, one breached and another one vulnerable. (the vulnerable login must be without username)

[Steps to reproduce]:

  1. Open the Firefox browser.
  2. Navigate to the “about:logins” page.
  3. Click the “Sign in to Sync” button and log in with the Firefox Account from prerequisites.
  4. Switch back to the “Logins & Passwords” tab.
  5. Observe the vulnerable login without the username.

[Expected result]:

  • The login is marked as vulnerable.

[Actual result]:

  • The key icon and notification are not displayed.

[Notes]:

  • This issue is not reproducible for the breached logins without a username.
  • Attached a screen recording with the issue.

Can you triage this please?

Flags: needinfo?(jaws)
Assignee: nobody → jaws
Status: NEW → ASSIGNED
Flags: needinfo?(jaws)
Priority: -- → P1
Flags: qe-verify+

When a user signs in to their Firefox Account and logins are synced, the "addLogin" notification is sent to all observers and logins are added one at a time to about:logins. This is the same behavior as having two separate windows open to about:logins and adding a login manually in one window and checking that the login is added in the other window.

After investigating this bug, I found two issues:

  1. When a login is added in window A, the login will appear in window B and is not always marked as "vulnerable" in the login-list. This is easier to reproduce when the user has many logins (over 400), though it can still happen when the user has few logins (less than 10).
  2. Also, in window B the login will not get sorted up to the top with the other alerts. It should appear beneath any breached logins and before logins that are neither breached or vulnerable.

I was unable to find any association with logins that lack a username.

Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c526677e5ffb
Update the vulnerable and breached maps before adding the new login to the page. r=sfoster
Summary: The vulnerable logins without username are not marked as vulnerable after syncing logins without refreshing the page → The vulnerable logins are sometimes not marked as vulnerable after syncing logins or adding outside about:logins without refreshing the page
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 76

This issue is Verified as fixed in our latest Nightly build 76.0a1 (2020-04-06) on Windows 10, Ubuntu 18.04 and Mac Osx 10.15.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.