Closed Bug 1624716 Opened 5 years ago Closed 5 years ago

Update Lockwise alerts SUMO page to add info on vulnerable logins

Categories

(support.mozilla.org :: Knowledge Base Content, task, P1)

Product:
support.mozilla.org
Component:
Knowledge Base Content
Type:
task

Tracking

(firefox-esr68 unaffected, firefox74 unaffected, firefox75 unaffected, firefox76 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- fixed

People

(Reporter: jaws, Unassigned)

References

(
URL
)

Details

We will need to create a page on SUMO that can give some background on vulnerable logins in Firefox Lockwise.

Vulnerable logins are defined as a login that shares a password with a breached login in the same Firefox profile. Just as we ask a user to change their password for a website that gets breached, if that password is shared with other logins then we will ask the user to change their password on the other sites too.

This page will be linked to from within Firefox Lockwise in the "vulnerable passwords" notification.

Component: about:logins → Knowledge Base Content
Product: Firefox → support.mozilla.org

We already have https://support.mozilla.org/1/firefox/76.0a1/Darwin/en-US/lockwise-alerts which we can probably update btw.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

I think we can use this bug for updating the page for Fx76.

URL: https://support.mozilla.org/1/firefox...
Status: RESOLVED → REOPENED
Type: enhancement → task
status-firefox74: --- → unaffected
status-firefox75: --- → unaffected
status-firefox76: --- → affected
status-firefox-esr68: --- → unaffected
Resolution: INVALID → ---
Summary: Add SUMO page that gives some background on vulnerable logins → Update Lockwise alerts SUMO page to add info on vulnerable logins
Status: REOPENED → NEW

Hello, it seems like much of the existing content is incorrect as it's mixing up information about the monitor website (and monitor card in about:protections) with the Lockwise integration which doesn't do any lookup of passwords. Here is a quick summary of things. I'm happy to go into more detail. It would be great to fix the inaccuracies about breached passwords ASAP.

  • Breached logins: We get the list of breached sites containing passwords and check two things for each login:
    • Is the login's domain on the list of breached sites with passwords (or is it a subdomain of one on that list) AND is the password change date before the breach date. If a login is considered breached we store this password in a list of passwords which are vulnerable.
  • Vulnerable passwords: The saved login's password matches one in the list of passwords from potentially breached logins (see above).

Neither of these use the email address or username for detection nor do they lookup the password with any database outside your computer.

Severity: normal → critical

I made a small edit to the revision that's pending review - see https://support.mozilla.org/en-US/kb/firefox-lockwise-alerts-breached-websites/history

Flags: needinfo?(jsavage)

I've published both of your updates. Thank you!

Flags: needinfo?(jsavage)

Resolving this, feel free to reopen if there are any other changes needed for 76

Status: NEW → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.