Closed Bug 837435 Opened 10 years ago Closed 10 years ago

importing facebook contacts asks for password from an http: URL rather than https:


(Firefox OS Graveyard :: Gaia::Contacts, defect)

Gonk (Firefox OS)
Not set


(blocking-b2g:-, b2g18+)

blocking-b2g -
Tracking Status
b2g18 + ---


(Reporter: dbaron, Assigned: jmcf)



(Keywords: sec-moderate, Whiteboard: evangelism?)


(1 file)

Steps to reproduce:
 1. start the B2G contacts app (person icon in the bottom bar)
 2. tap the gear in the upper right (Settings)
 3. tap "Facebook" to import facebook contacts

Actual results:
  readonly URL bar briefly shows URL, which then changes (redirects?) to an URL, which prompts for my username and password

Expected results:
  I should be asked for my facebook username and password only via https, not http.
Not sure if this is us or them.
blocking-b2g: --- → tef?
Whiteboard: evangelism?
Flags: needinfo?(lmandel)
May be covered as part of Lawrence's work in bug 835983
Depends on: 835983
bug 835983 seemed to say that the page itself is loaded securely, but the subresources weren't. This one says there's now an insecure redirect. Probably the same issue (and on Facebook's side) but maybe not quite?

Either way passwords can be stolen by a network MITM (e.g. Firesheep).
Group: core-security
Keywords: sec-moderate
I don't see this redirect when loading in Firefox for Android with the default UA or Firefox OS UA. I also don't see a redirect happening when I execute

curl -LA "Mozilla/5.0 (Mobile; rv:21.0) Gecko/21.0 Firefox/21.0"

This makes me think the issue is on our end. Or, perhaps there was an issue 5 days ago but Facebook resolved it. Can you confirm that this is still an issue with the contacts app?
Flags: needinfo?(lmandel)
So I'd note that once I entered my username and password once (over wifi that I trusted), I never saw it again.  So my suspicion is that there's no redirect to http: once there's a cookie, which would mean reproducing the bug requires flashing the phone clean.  I can try that tomorrow if needed, but not right now.
Also, I believe I was referring to URLs *beginning with* or
Can we get QA to verify the suspicion in comment 5?  If this was Facebook side and is no longer happening obviously we won't block.
Keywords: qawanted
Attached image Screenshot of issue
I still see this using the latest nightly build:
Gaia   cff23a80c41b7de223d27c6a6f1f82f95c9c5f6b
BuildID 20130208070201
Version 18.0

1. Fresh flash, import Facebook contacts by selecting Contacts icon in Dock.
2. Briefly see a flash of https screen, then I arrive on the page in the screenshot.
Keywords: qawanted
I can reproduce this in the contacts app as well. I cannot reproduce this issue when I open in the Firefox OS browser. Anyone have thoughts on what might differ in the contacts app case?
This issue still reproduces on Unagi build 2013020800201 with Dec 5th Kernel

URL bar shows URL for a split second, which then changes to an URL, which prompts for a username and password.
This issue reproduces even when the username and password was already entered once (as it mentions in comment 5).
I checked that this was still happening in a clean v1-train self-built build from earlier today.
We wouldn't block on a sec-moderate issue, but would accept a low risk uplift. Francisco - what's the level of effort here? It appears that we're using https through the browser, but not in contacts.
Assignee: nobody → francisco.jordano
blocking-b2g: tef? → -
tracking-b2g18: --- → +
Reassigning to Jose Manuel, as he implemented the contact import feature, sure he can answer better than me.

Assignee: francisco.jordano → jmcf
This is a duplicate of 835983 ... i'll add more comments there as I have also been looking into this and talking to Facebook people.
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 835983
You need to log in before you can comment on or make changes to this bug.