Closed
Bug 837435
Opened 12 years ago
Closed 12 years ago
importing facebook contacts asks for password from an http: URL rather than https:
Categories
(Firefox OS Graveyard :: Gaia::Contacts, defect)
Tracking
(blocking-b2g:-, b2g18+)
RESOLVED
DUPLICATE
of bug 835983
blocking-b2g | - |
Tracking | Status | |
---|---|---|
b2g18 | + | --- |
People
(Reporter: dbaron, Assigned: jmcf)
References
Details
(Keywords: sec-moderate, Whiteboard: evangelism?)
Attachments
(1 file)
28.60 KB,
image/png
|
Details |
Steps to reproduce:
1. start the B2G contacts app (person icon in the bottom bar)
2. tap the gear in the upper right (Settings)
3. tap "Facebook" to import facebook contacts
Actual results:
readonly URL bar briefly shows https://m.facebook.com/ URL, which then changes (redirects?) to an http://m.facebook.com/ URL, which prompts for my username and password
Expected results:
I should be asked for my facebook username and password only via https, not http.
Not sure if this is us or them.
blocking-b2g: --- → tef?
Whiteboard: evangelism?
Updated•12 years ago
|
Flags: needinfo?(lmandel)
Comment 3•12 years ago
|
||
bug 835983 seemed to say that the page itself is loaded securely, but the subresources weren't. This one says there's now an insecure redirect. Probably the same issue (and on Facebook's side) but maybe not quite?
Either way passwords can be stolen by a network MITM (e.g. Firesheep).
Group: core-security
Keywords: sec-moderate
Comment 4•12 years ago
|
||
I don't see this redirect when loading https://m.facebook.com in Firefox for Android with the default UA or Firefox OS UA. I also don't see a redirect happening when I execute
curl -LA "Mozilla/5.0 (Mobile; rv:21.0) Gecko/21.0 Firefox/21.0" https://m.facebook.com
This makes me think the issue is on our end. Or, perhaps there was an issue 5 days ago but Facebook resolved it. Can you confirm that this is still an issue with the contacts app?
Flags: needinfo?(lmandel)
Reporter | ||
Comment 5•12 years ago
|
||
So I'd note that once I entered my username and password once (over wifi that I trusted), I never saw it again. So my suspicion is that there's no redirect to http: once there's a cookie, which would mean reproducing the bug requires flashing the phone clean. I can try that tomorrow if needed, but not right now.
Reporter | ||
Comment 6•12 years ago
|
||
Also, I believe I was referring to URLs *beginning with* http://m.facebook.com/ or https://m.facebook.com/
Comment 7•12 years ago
|
||
Can we get QA to verify the suspicion in comment 5? If this was Facebook side and is no longer happening obviously we won't block.
Keywords: qawanted
Comment 8•12 years ago
|
||
I still see this using the latest nightly build:
Gecko http://hg.mozilla.org/releases/mozilla-b2g18/rev/71ddeff45ec2
Gaia cff23a80c41b7de223d27c6a6f1f82f95c9c5f6b
BuildID 20130208070201
Version 18.0
STR:
1. Fresh flash, import Facebook contacts by selecting Contacts icon in Dock.
2. Briefly see a flash of https screen, then I arrive on the page in the screenshot.
Comment 9•12 years ago
|
||
I can reproduce this in the contacts app as well. I cannot reproduce this issue when I open https://m.facebook.com in the Firefox OS browser. Anyone have thoughts on what might differ in the contacts app case?
Comment 10•12 years ago
|
||
This issue still reproduces on Unagi build 2013020800201 with Dec 5th Kernel
URL bar shows https://m.facebook.com/ URL for a split second, which then changes to an http://m.facebook.com/ URL, which prompts for a username and password.
This issue reproduces even when the username and password was already entered once (as it mentions in comment 5).
Reporter | ||
Comment 11•12 years ago
|
||
I checked that this was still happening in a clean v1-train self-built build from earlier today.
Comment 12•12 years ago
|
||
We wouldn't block on a sec-moderate issue, but would accept a low risk uplift. Francisco - what's the level of effort here? It appears that we're using https through the browser, but not in contacts.
Comment 13•12 years ago
|
||
Reassigning to Jose Manuel, as he implemented the contact import feature, sure he can answer better than me.
Thanks!
Assignee: francisco.jordano → jmcf
Comment 14•12 years ago
|
||
This is a duplicate of 835983 ... i'll add more comments there as I have also been looking into this and talking to Facebook people.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•