Closed Bug 1850553 Opened 2 years ago Closed 2 years ago

Remove name/password from deleted passwords

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- disabled
firefox118 --- wontfix
firefox119 --- verified
firefox120 --- verified

People

(Reporter: enndeakin, Assigned: enndeakin)

References

Details

Attachments

(1 file)

Bug 1850553, remove most infromation from a login that has been synced when it is deleted, r?#credential-management-reviewers
48 bytes, text/x-phabricator-request
Details | Review

When a synced password is deleted, the details should be replaced and only the guid and sync details should be maintained.

Pushed by neil@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f2910ef42c46 remove most infromation from a login that has been synced when it is deleted, r=credential-management-reviewers,sync-reviewers,sgalich,markh

https://hg.mozilla.org/mozilla-central/rev/f2910ef42c46

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox119: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
Flags: qe-verify+
QA Contact: hyacoub

I would like to attempt verification of this fix. How exactly do I determine if a build is affected or not? Thanks!

Flags: needinfo?(enndeakin)

You would need to manually inspect logins.json from the profile directory. Before deleting a login that has been synced it will contain all of the login details such as hostanme, password, etc for a particular login. After deleting the login, those details should have been removed leaving only the guid and some sync related fields. The deleted login should still properly get deleted remotely or on other devices when the sync happens.

Flags: needinfo?(enndeakin)

** A different behavior is present in ESR 115:

  1. login before sync:
    {"nextId":2,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGq2xrCFQSMHBBjiApV4gn+gXc5QxOgNA4kPQIzOuv/eA3M=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECECcCRET2v7LBBDO0cj9uU0e8B8WXPX1z8kk","guid":"{095d8e11-3d52-4b87-95a6-a68987106668}","encType":1,"timeCreated":1697806034738,"timeLastUsed":1697806034738,"timePasswordChanged":1697806034738,"timesUsed":1,"encryptedUnknownFields":null}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}
  2. login after sync:
    {"nextId":4,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGq2xrCFQSMHBBjiApV4gn+gXc5QxOgNA4kPQIzOuv/eA3M=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECECcCRET2v7LBBDO0cj9uU0e8B8WXPX1z8kk","guid":"{095d8e11-3d52-4b87-95a6-a68987106668}","encType":1,"timeCreated":1697806034738,"timeLastUsed":1697806034738,"timePasswordChanged":1697806034738,"timesUsed":1,"encryptedUnknownFields":null}
  3. login after delete: unable to find any information about the login

** The issue reproduces as reported in Release v118.0.2:

  1. login before sync:
    {"nextId":2,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMRPxehdn+i/BBhW8Qeg/XxdE/C1QmNYUPzTVEZVTd5AdR8=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFNOSkKhkgdjBBD/btFpIImf/JuqcF+ZIOnM","guid":"{fdec518e-c70c-4992-90fb-aefeb6a0744f}","encType":1,"timeCreated":1697806984440,"timeLastUsed":1697806984440,"timePasswordChanged":1697806984440,"timesUsed":1,"syncCounter":1,"everSynced":false,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJbKvavJRMFNBAipZyTqSb3qsA=="}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}
  2. login after sync:
    {"nextId":3,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMRPxehdn+i/BBhW8Qeg/XxdE/C1QmNYUPzTVEZVTd5AdR8=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFNOSkKhkgdjBBD/btFpIImf/JuqcF+ZIOnM","guid":"{fdec518e-c70c-4992-90fb-aefeb6a0744f}","encType":1,"timeCreated":1697806984440,"timeLastUsed":1697806984440,"timePasswordChanged":1697806984440,"timesUsed":1,"syncCounter":0,"everSynced":true,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJbKvavJRMFNBAipZyTqSb3qsA=="}
  3. login after delete:
    {"nextId":3,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMRPxehdn+i/BBhW8Qeg/XxdE/C1QmNYUPzTVEZVTd5AdR8=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFNOSkKhkgdjBBD/btFpIImf/JuqcF+ZIOnM","guid":"{fdec518e-c70c-4992-90fb-aefeb6a0744f}","encType":1,"timeCreated":1697806984440,"timeLastUsed":1697806984440,"timePasswordChanged":1697806984440,"timesUsed":1,"syncCounter":1,"everSynced":true,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJbKvavJRMFNBAipZyTqSb3qsA==","deleted":true}

** The issue is fixed in Beta v119.0 (RC) and Nightly v120.0a1:

  1. login before sync:
    {"nextId":2,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECHNrdhiI+//XBBhGIikoUpavkMQYZdIovYkT7OlDe3hxl+w=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNYDcJVuTCcsBBDaZf0r5JzDj0R4V9RIn6/E","guid":"{4116ab85-96fd-42ae-b872-f0874a5e36d7}","encType":1,"timeCreated":1697807275082,"timeLastUsed":1697807275082,"timePasswordChanged":1697807275082,"timesUsed":1,"syncCounter":1,"everSynced":false,"encryptedUnknownFields":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPn7p7GWS0caBAiRgztONrMcRg=="}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}
  2. login after sync:
    {"nextId":3,"logins":[{"id":1,"hostname":"https://www.facebook.com","httpRealm":null,"formSubmitURL":"https://www.facebook.com","usernameField":"email","passwordField":"pass","encryptedUsername":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECEmc7+OeD0M7BBg/Q1V6rR8WQR1X8M2SALbDmFxT6AR4mKw=","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECI2h9Wmxi1gMBBDv+/O8ccMpg73DkpPaHy6O","guid":"{fdec518e-c70c-4992-90fb-aefeb6a0744f}","encType":1,"timeCreated":1697807275082,"timeLastUsed":1697807275082,"timePasswordChanged":1697807275082,"timesUsed":1,"syncCounter":0,"everSynced":true,"encryptedUnknownFields":null}
  3. login after delete:
    {"nextId":3,"logins":[{"id":1,"guid":"{fdec518e-c70c-4992-90fb-aefeb6a0744f}","timePasswordChanged":1697807275082,"syncCounter":0,"everSynced":true,"deleted":true}

As pointed out in the previous comment, this issue was reproduced in Release v118.0.2, a different behavior was discovered in ESR v115.4.0esr and the fix was verified in beta v119.0 (RC) and Nightly v120.0a1 in Windows 10, Mac OS 11 and Ubuntu 22.

Status: RESOLVED → VERIFIED
status-firefox118: --- → affected
status-firefox119: fixedverified
status-firefox120: --- → verified
status-firefox-esr115: --- → disabled
Flags: qe-verify+
OS: Unspecified → All
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: