1629007 - Sync vulnerable passwords across devices

Status: RESOLVED WONTFIX

(Firefox :: about:logins, enhancement, P3)

Description

[Simona Rosu [:srosu], Ecosystem QA]

Attachment: vulnerableLofinsAfterEditLastBreached.gif

[Affected versions]:

• Firefox Nightly 77.0a1 (Build ID: 20200409131623)
• Firefox Beta 76.0b3 (Build ID: 20200409223136)

[Affected Platforms]:

• Windows 10 x64
• Mac 10.14.6
• Ubuntu 18.04 x64

[Prerequisites]:

• Have a new Firefox profile.
• Have a Firefox Account with saved logins in which one is breached and multiple are vulnerable.
• Be logged with a FxA account.

[Steps to reproduce]:

1. Open the Firefox browser with the profile from prerequisites.
2. Navigate to the “about:logins” page.
3. Edit the password of the breached account. (must be only one in the Login list)
4. Open a new Firefox profile and navigate to “about:logins”.
5. Sign in to sync with the same account.
6. Observe the vulnerable logins from the Login list.

[Expected result]:

• The logins are marked as vulnerable.

[Actual result]:

• The logins are not marked as vulnerable.

[Notes]:

• Even if a new login is created with the credentials of the previously breached account, the login is not marked as vulnerable.
• Attached a screen recording with the issue.

Comment 1

[Matthew N. [:MattN]]

Jared, did your recent related fix also fix this?

Comment 2

[Jared Wein [:jaws] (please needinfo? me)]

No, my change wouldn't have fixed this since we only store what passwords are vulnerable per profile and don't sync that list. Once a password is marked as vulnerable it's only known to be vulnerable for that profile. Since the breached login has its password changed, when the logins are synced to the new profile the new profile won't know that the there are vulnerable logins.