Closed Bug 1650544 Opened 4 years ago Closed 3 years ago

Signing in with a different user causes Lockwise to merge credentials from both old and new user

Categories

(Firefox :: Firefox Accounts, defect)

Product:
Firefox
Component:
Firefox Accounts
Version:
78 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tse0123, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

I had an account in Firefox in my pc.
This account had my login credentials in Lockwise.
I logged off from this account, created a new one with a different email and logged in from it at the same pc.

Actual results:

While logged in with different account the credentials from my account were visible in Lockwise.
Lockwise merged the credentials of the two accounts.
Furthermore, after sync they were also available from other computers.

Expected results:

Each account should have only it's own user credentials. No merging of credentials should be done.

Logging out of a Firefox account does not clear local data, and so the login details stored through lockwise will still have been present locally, and that's how they got added to the second account.

Group: firefox-core-security
Component: Untriaged → Firefox Accounts
Keywords: dupeme

Thanks for the report! This is currently "expected" behaviour as :Gijs explains above, in the sense that we know why this happens. But I agree it's likely not what you expect as a user.

I logged off from this account, created a new one with a different email and logged in from it at the same pc.

When signing in with the different email, it should have showed a confirmation dialog warning that your data may be merged with data from a previous account. Do you recall seeing such a dialog when signing in?

Hi Ryan.

No, I don't recall such a dialogue.

Either way, from the user perspective, it's not right to store credential "system-wise".
Even if you store locally and not in the cloud, these data should only be accessed by the logged-in user since they are fetched from their account.

In the case of a shared pc when switching accounts this constitutes a significant security liability.

Once the user logs out from their account it's data should not be accessible by other users, at least that's the appropriate behavior the way I see it.

The only exception to this could be credentials stored under no account.

Syncing of credentials should also be strictly account-wise.

Another issue is that you can't delete multiple logins simultaneously, you have to do it one by one.
Not a bug but quite inconvenient.

(In reply to Giorgos from comment #4)

Another issue is that you can't delete multiple logins simultaneously, you have to do it one by one.
Not a bug but quite inconvenient.

Yeah - while it doesn't help you now, that's being done in bug 1613620.

Once the user logs out from their account it's data should not be accessible by other users, at least that's the appropriate
behavior the way I see it.

Yes. There is some discussion about this in Bug 1600210, although I don't want to mark this bug as an exact duplicate of that one because Bug 1600210 doesn't cover the "merged with other data" case.

See Also: → 1600210

First-class support for multiple profiles could also help.

The severity field is not set for this bug.
:markh, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(markh)

(In reply to Ryan Kelly [:rfkelly] from comment #6)

Yes. There is some discussion about this in Bug 1600210, although I don't want to mark this bug as an exact duplicate of that one because Bug 1600210 doesn't cover the "merged with other data" case.

I'm not sure this is going to be actionable beyond that bug though. In the future, bug 1600210 will ask the user whether to delete, but if the user declines and then signs in again, we will warn data will be merged, and if they click through that, they will end up in this state, which we will consider the expected behaviour.

Severity: -- → S2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(markh)
Summary: Lockwise merges different user's credentials → Signing in with a different user causes Lockwise to merge credentials from both old and new user

Mark is the severity for this still accurate as we currently triage long standing S1,S2 bugs wanted to confirm this accurate.

Flags: needinfo?(markh)

In bug 1657463 we added a dialog that is shown when the user disconnects from Sync, and this allows the user to delete all data locally, including passwords.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(markh)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.