importing facebook contacts asks for password from an http: URL rather than https:

RESOLVED DUPLICATE of bug 835983

Status

Firefox OS
Gaia::Contacts
RESOLVED DUPLICATE of bug 835983
5 years ago
5 years ago

People

(Reporter: dbaron, Assigned: Jose Manuel Cantera)

Tracking

({sec-moderate})

unspecified
ARM
Gonk (Firefox OS)
sec-moderate

Firefox Tracking Flags

(blocking-b2g:-, b2g18+)

Details

(Whiteboard: evangelism?)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Steps to reproduce:
 1. start the B2G contacts app (person icon in the bottom bar)
 2. tap the gear in the upper right (Settings)
 3. tap "Facebook" to import facebook contacts

Actual results:
  readonly URL bar briefly shows https://m.facebook.com/ URL, which then changes (redirects?) to an http://m.facebook.com/ URL, which prompts for my username and password

Expected results:
  I should be asked for my facebook username and password only via https, not http.
Not sure if this is us or them.
blocking-b2g: --- → tef?
Whiteboard: evangelism?
Flags: needinfo?(lmandel)

Comment 2

5 years ago
May be covered as part of Lawrence's work in bug 835983
Depends on: 835983
bug 835983 seemed to say that the page itself is loaded securely, but the subresources weren't. This one says there's now an insecure redirect. Probably the same issue (and on Facebook's side) but maybe not quite?

Either way passwords can be stolen by a network MITM (e.g. Firesheep).
Group: core-security
Keywords: sec-moderate
I don't see this redirect when loading https://m.facebook.com in Firefox for Android with the default UA or Firefox OS UA. I also don't see a redirect happening when I execute

curl -LA "Mozilla/5.0 (Mobile; rv:21.0) Gecko/21.0 Firefox/21.0" https://m.facebook.com

This makes me think the issue is on our end. Or, perhaps there was an issue 5 days ago but Facebook resolved it. Can you confirm that this is still an issue with the contacts app?
Flags: needinfo?(lmandel)
(Reporter)

Comment 5

5 years ago
So I'd note that once I entered my username and password once (over wifi that I trusted), I never saw it again.  So my suspicion is that there's no redirect to http: once there's a cookie, which would mean reproducing the bug requires flashing the phone clean.  I can try that tomorrow if needed, but not right now.
(Reporter)

Comment 6

5 years ago
Also, I believe I was referring to URLs *beginning with* http://m.facebook.com/ or https://m.facebook.com/
Can we get QA to verify the suspicion in comment 5?  If this was Facebook side and is no longer happening obviously we won't block.
Keywords: qawanted
Created attachment 711905 [details]
Screenshot of issue

I still see this using the latest nightly build:
Gecko  http://hg.mozilla.org/releases/mozilla-b2g18/rev/71ddeff45ec2
Gaia   cff23a80c41b7de223d27c6a6f1f82f95c9c5f6b
BuildID 20130208070201
Version 18.0

STR:
1. Fresh flash, import Facebook contacts by selecting Contacts icon in Dock.
2. Briefly see a flash of https screen, then I arrive on the page in the screenshot.
Keywords: qawanted
I can reproduce this in the contacts app as well. I cannot reproduce this issue when I open https://m.facebook.com in the Firefox OS browser. Anyone have thoughts on what might differ in the contacts app case?

Comment 10

5 years ago
This issue still reproduces on Unagi build 2013020800201 with Dec 5th Kernel

URL bar shows https://m.facebook.com/ URL for a split second, which then changes to an http://m.facebook.com/ URL, which prompts for a username and password.
This issue reproduces even when the username and password was already entered once (as it mentions in comment 5).
(Reporter)

Comment 11

5 years ago
I checked that this was still happening in a clean v1-train self-built build from earlier today.
We wouldn't block on a sec-moderate issue, but would accept a low risk uplift. Francisco - what's the level of effort here? It appears that we're using https through the browser, but not in contacts.
Assignee: nobody → francisco.jordano
blocking-b2g: tef? → -
tracking-b2g18: --- → +
Reassigning to Jose Manuel, as he implemented the contact import feature, sure he can answer better than me.

Thanks!
Assignee: francisco.jordano → jmcf
This is a duplicate of 835983 ... i'll add more comments there as I have also been looking into this and talking to Facebook people.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 835983
You need to log in before you can comment on or make changes to this bug.