Importing contacts from facebook requires too many permissions

VERIFIED FIXED

Status

defect
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: mossop, Assigned: jmcf)

Tracking

({b2g-testdriver, unagi})

Firefox Tracking Flags

(blocking-b2g:tef+, blocking-basecamp:-, b2g18 verified, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 verified)

Details

(Whiteboard: Need_FB_Support)

Attachments

(2 attachments)

When importing contacts from facebook I have to agree to a ridiculous number of permissions
(Reporter)

Comment 2

7 years ago
Posted image app permissions
At a guess ... all of them. This is a screenshot from facebook showing all the permissions the app got. I don't understand why it needs any of it except things from friends profile info.
(Reporter)

Updated

7 years ago
Summary: Important contacts from facebook requires too many permissions → Importing contacts from facebook requires too many permissions
Ah, you're talking about facebook permissions, not b2g permissions.

I think this is Jose's code?

Not sure if this is a blocker or not.

Tom: Do you have opinions?
Assignee: nobody → jmcf
blocking-basecamp: --- → ?
This is being discussed also in bug 804031
marking this bug to block bug 804031.  Adding needInfo to privacy team.  We need a decision there if this is something we are blocking v1 or not.
Blocks: 804031
Flags: needinfo?(tom)

Comment 6

7 years ago
Suggestion: this is not a privacy blocker, but may instead be a usability or security blocker.

As long as we don't actually *use* any of these permissions, I don't think it's a privacy problem per se. However, the fact that we ask for them looks like a huge usability & adoption issue; I'd certainly be scared if I saw that, and might well not want to continue.

In addition, if a user accepts this, I assume that we get a token of some sort which has the authority to do these things. If that's stored on the phone, then there's the risk that some nefarious actor might get the token and use all those permissions. That would obviously be a privacy disaster, but as a result of a security vulnerability.
Flags: needinfo?(tom)

Updated

7 years ago
No longer blocks: 804031
Depends on: 804031
+1 on this, just saw this and denied the import.. This needs to be better thought through for security purposes.
Per triage: not considered blocking, given privacy team feedback.  Working on getting a sec team response for this.  We'd like to see this fixed, but it's not considered inherently harmful at this time.
blocking-basecamp: ? → -
Excuse the drive-by, but my take on this (as a 'security person') is that we shouldn't request permissions we don't need.

There are (at least) 2 reasons for this:
1) In the event that whatever we're doing is open to abuse, the impact is minimised (think Principle of Least Privilege)
2) Legitimate apps asking users for everything, all of the time, would seem to desensitize people to malicious apps that do the same - I can't support this with actual data, but it's a common argument in criticisms of Android, for example.
We have raised concerns in the past about Mozilla authored apps that have too much access to personal data on 3rd party sites like FB in the past, and while I agree with Toms comments about this only being a privacy issue if there is a security bug, we need to rein in the permissions the app is requesting from FB.

Paul, David, other than adjusting the permissions the app is looking for on the call to facebook, is there anything else needed here?
According to Daniel from TEF:

"Yeah, we need to have a look at the permissions used. The FB integration lead engineer has been on Holidays this week. Hope he can review the permissions next one. I am pretty sure we will need a more meaningful application key and set of permissions requested when going life to production."
(Assignee)

Comment 12

7 years ago
I have checked the requested permissions and those really needed and we can request less as wall post and messaging are done through FB Dialogs. I have changed them but the message for the user remains the same. I need to contact FB about this issue.
(Assignee)

Updated

7 years ago
Status: NEW → ASSIGNED
Component: Gaia → Gaia::Contacts
(Assignee)

Comment 13

7 years ago
FB was granting all those permissions for our app as it is whitelisted. FB is going to grant only those permissions which are really needed. We are awaiting for the fix on their side
(Assignee)

Updated

6 years ago
Whiteboard: Need_FB_Support
Duplicate of this bug: 825644

Updated

6 years ago
blocking-basecamp: - → ?
Not blocking, outside of our code scope. Individual issues of the FB integration that we *can* affect should be filed as separate issues out of the review in bug 804031.
blocking-basecamp: ? → -

Updated

6 years ago
Blocks: 804031
No longer depends on: 804031
(In reply to Jose M. Cantera from comment #13)
> FB was granting all those permissions for our app as it is whitelisted. FB
> is going to grant only those permissions which are really needed. We are
> awaiting for the fix on their side

Jose, can you confirm if this fix has been implemented and if not, could you please follow up asap?
Flags: needinfo?(jmcf)
(Assignee)

Comment 17

6 years ago
As I said to you privately, we are going to reiterate our request to Facebook for fixing this. It is a must

thanks!
Flags: needinfo?(jmcf)
(Assignee)

Comment 18

6 years ago
After talking to FB. We are close to resolving this. ETA is next week (starting 18/02)
(Assignee)

Comment 19

6 years ago
Posted file Pointer to GH PR
The patch adjusts the requested permissions to only those which are really needed. In addition Facebook has adjusted their platform to only whitelist us for certain permissions. 

Once we get an r+ this patch should be also landing in v1-train and v1.0.1
Attachment #715918 - Flags: review?(crdlc)
(Assignee)

Updated

6 years ago
blocking-b2g: --- → tef?
Comment on attachment 715918 [details]
Pointer to GH PR

I deleted the app from my Facebook account and works fine, thanks
Attachment #715918 - Flags: review?(crdlc) → review+
https://github.com/mozilla-b2g/gaia/commit/ad0cf0db979f9cda26cc29153e3069fe8d575e32
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Marking as blocker so this low risk fix can land without approval when ready to v1-train and v1.0.1
blocking-b2g: tef? → tef+
v1-train@46d43c65b3bb29f8da61b4fc30f11eac401fb072
v1.0.1@b60ff85c8f7bb9bf6a76620e969ae1097e185f2c
Bug 853195 noted, FTE portion can't be checked due to  bug 852598.

Gecko  http://hg.mozilla.org/releases/mozilla-b2g18_v1_0_1/rev/e74dafa6b2d9
Gaia   1438da6ca0e020a8df686e2100a668370dfe6fb6
BuildID 20130312230202
Version 18.0

Gecko  http://hg.mozilla.org/releases/mozilla-b2g18/rev/778da49486f0
Gaia   6c3767c2dea43b5e9aff7d156d36d69649005621
BuildID 20130320070206
Version 18.0
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.