555577 - Weave Sync should not expose account ID in primary UI

Status: RESOLVED WONTFIX

(Firefox :: Sync, defect)

Description

[Richard M]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6

Hello,

I believe that Weave Sync should not show the username in the right corner of the browser by default.
Although the account is protected by a hash with a salt, it's common practice to post screenshots of websites by pressing Print Screen or by using ALT + Print Screen.
As Firefox gains more popularity, more users will use Weave and more will be using the browser to take screenshots of websites for various purposes.

Taking a screenshot and uploading it to a forum (for example) without editing the bitmap to hide any personal details will reveal the login of the Weave user.

If an attacker got the login username of a few Weave users, they could potentially run a dictionary attack against the login by using common passwords ("password", "goaway", "secret", "1234" etc).
This would then compromise all their bookmarks, passwords and other personal information.


Thanks,
Richard

Reproducible: Always

Steps to Reproduce:
1. Install Weave
2. Log into Weave
3. Look to the right of the status bar
Actual Results:  
Username is displayed

Expected Results:  
Username is displayed

Comment 1

[chris hofmann]

there is probably a close relationship between the names in e-mail addresses floating in clear text across the internet and weave account names. for example an attacker could guess richard.mahoney, richardm, rmahoney, richard or mahoney to start dicitionary attacks against the password and pass phrase.

that said, its probably a reasonable request to not show user name as an option for situations like you suggest (when taking screenshots, in attendence at security conferences with lots of blackhats around, and other situations where leaking the weave account name may add some risk.  same would go for future identity features that people are thingking about.

this bug should probably have the security flag removed since the additiona risk is probably pretty low, and the benefit of getting more people looking at the bug and thinking about ways to mitigate the problem would be increased if the bug was opened up.

Comment 2

[Mike Connor [:mconnor]]

Once we actually have identity and/or sharing, any mitigation here is trivially defeated, and future revs of the Firefox UI have this exposed even more prominently.  I don't actually think discovery of username is a security issue, nor do I believe that obfuscation/obscurity of this UI should be accorded any value in a security model.  I mean... every webmail site in the world has this issue, why is weave any different?

In any case, if a user is using a weak password AND a weak passphrase, they're probably also using easily deduced usernames as well, so I really don't think we should over-rotate here.

Comment 3

[Richard M]

(In reply to comment #2)
> Once we actually have identity and/or sharing, any mitigation here is trivially
> defeated, and future revs of the Firefox UI have this exposed even more
> prominently.  I don't actually think discovery of username is a security issue,
> nor do I believe that obfuscation/obscurity of this UI should be accorded any
> value in a security model.  I mean... every webmail site in the world has this
> issue, why is weave any different?
> 
> In any case, if a user is using a weak password AND a weak passphrase, they're
> probably also using easily deduced usernames as well, so I really don't think
> we should over-rotate here.

The fact remains that the username is clearly visible.
This is a security risk and should be closed.

Comment 4

[chris hofmann]

I pretty much agree its not worth over rotating and I think we could go round-and-round about how much incremental risk is added by exposing the user name. 

Richard, a more concrete example of mconnor suggestion is the gmail window that you might have open right now.  If you took a screen shot of that window and posted it you would expose your gmail user name.  Same would go for just about any service that you are logged into.  Weave is just another one of those services.  

It might be a more interesting question to ask "what's the value of showing the weave identity in various situations?"  

I'd suggest the value is pretty low for weave sync.  A single sync identity is tied pretty closely to a single firefox profile.  We are basically showing *you* who *you* are...   There could be more useful ways to show logged in state, which the user name tries to do now.

For sync we could just as easily show the identity on mouse over of the weave icon, or in the context menu when it pops up.

When we get to connect and other weave services where many "user identities" or "contexts" come into play the issues get more complex, and the value of showing user names and context gets.

Comment 5

[Richard M]

Hello Chris.

"It might be a more interesting question to ask "what's the value of showing the
weave identity in various situations?"  
I'd suggest the value is pretty low for weave sync."

Yes I agree with this.

I believe that it's good to show that sync is logged in/active but maybe something simple like a green globe/circle instead?
This could also go red when not logged in or yellow when there are sync problems?

Actually something like the following image would work well and could be seen as more of a "feature" addition as well as closing the user ID leak at the same time.
http://www.greenbuildky.com/images/uploads/icon-globe-lg.png

Richard

Comment 6

[Mike Connor [:mconnor]]

I don't think this is a priority at the current time, but I'm sure this will be revisited when the Firefox UX team digs into this with the larger UI refresh.