Closed Bug 1655337 Opened 4 years ago Closed 4 years ago

synced login and password should be flushed if logged out of the browser

Categories

(Firefox :: Sync, enhancement)

Product:
Firefox
Component:
Sync
Version:
78 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1600210

People

(Reporter: abi.tgt, Unassigned)

References

(Depends on 1 open bug)

Details

Attachments

(1 file)

Screenshot 2020-07-26 at 11.46.19 PM.png
91.69 KB, image/png
Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

  1. Sign in to your account.
  2. Sync your login and passwords via LockWise [not sure how these components interact with firefox browser and lockwise.]
  3. Log out of firefox.

Actual results:

Login and passwords still available.

Expected results:

Login and passwords should be available until the browser is available under a login session and cleared out if expired[not sure here] / logged out[this is important].

attached is the screen shot, after logged out. credentials still stay, this needs to be flushed.

I see this as a important security risk.

Your expectation is reasonable for a different model of product, but that is not what we've built. You aren't logging into "Firefox", you're logging into your cloud "Firefox Account" used for syncing between different devices. We've always considered the local data to be the ground truth, with the copy stored on Sync just that -- a copy.

Since lots of the profile data is potentially sensitive (e.g. history, bookmarks) we've always relied on OS account security for multi-user shared machines. That is, people should sign into their own OS accounts, and use a guest account for visitors.

A "cloud first" sync experience could be useful when traveling and borrowing other people's computers. You can approximate that by logging out of sync and then using the "Clear Recent History" feature set to "everything", or even having your browser set to always clear data when shut down (an option in settings). For safety I'd recommend logging out of sync first so we don't accidentally sync your lack of data! Start-up could be pretty slow if you're downloading all your data each time.

Ryan: is there already a feature bug about this kind of "cloud native" profile? Is it in the plans, or explicitly not something we're doing? Clearly we'd have to finish "Durable sync" (bug 1465313) first.

Group: firefox-core-security
Type: defect → enhancement
Component: Untriaged → Sync
Depends on: 1465313
Flags: needinfo?(rfkelly)

Hi there! This is a pretty common case that's come up before, in bug 1600210 and others—some folks expect signing out to delete all their data locally, others expect it to be deleted from the server, but not the device, and still others expect it to be kept everywhere until they sign back in. As Dan said, all of these are reasonable expectations depending on how you think about the product, and it's surprising when those expectations don't match how the product actually works!

There are a few things we're doing to make this better. First, Lockwise will soon have the ability to bulk-delete passwords (bug 1613620). This is currently easy to do for history and cookies via Clear Recent History, like Dan mentioned, and possible (though a little tedious) for bookmarks—but no way to do that yet for logins. Second, Desktop will soon have a checkbox (see the links and discussion in https://github.com/mozilla/application-services/issues/3371) to delete data from the device when you sign out. We tried this a couple of years ago, and ended up removing it because the experience was confusing, but we've come up with one that's simpler and easier to understand.

I'll go ahead and dupe this out to bug 1600210, but thanks for filing the issue!

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(rfkelly)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: