Passwords remain accessible after disconnecting Lockbox

mozilla-lockwise / lockwise-android

Firefox's Lockwise app for Android

https://mozilla-lockwise.github.io/lockwise-android/

Mozilla Public License 2.0

623 stars 104 forks source link

Passwords remain accessible after disconnecting Lockbox #537

Open callahad opened 5 years ago

callahad commented 5 years ago

Steps:

Sign into Lockbox
Menu → Account → Disconnect Firefox Lockbox
(unknown :frowning_face:)
Re-enter the app, prompted for fingerprint
Lockbox unlocks, displays all previous passwords

The Lockbox UI shows me logged in as "Firefox Account" with no user avatar (in the sidebar, it's the Lockbox icon; in the Accounts page it's the default white-on-gray silhouette).

Perhaps related to #312 and #365?

callahad commented 5 years ago

Unfortunately, I'm having trouble reproducing this reliably. I know that I did not sign back into Lockbox in Step 3.

My fuzzy recollection is that I was poking around at the email entry field to try and understand #535, but I do not believe I ever submitted it.

At some point, I returned to Lockbox (my phone screen may have timed out and gone to sleep?), at which point I believe I was prompted with the normal "Unlock" screen. Hit Unlock, tapped my fingerprint scanner, and boom: all of my old entries were visible.

sashei commented 5 years ago

I've tried a few things to reproduce this: before each attempt: sign in, disconnect my account

background + wait >5minutes (default autolock time), still on welcome screen ✅
navigate to the FxA login screen before backgrounding, wait >5minutes, still on FxA login screen ✅
both of the previous, with the "Don't Keep Activities" setting enabled ✅

@callahad thank you for filing; difficult to repro, let me know if you find anything more concrete !!

callahad commented 5 years ago

I really, really wish I could find definitive repro steps.

All I can assert is that this situation is possible.

Shouldn't it be impossible to purge the session (e.g., my profile appears as "Firefox Account") without also clearing the storage?

santiagofn commented 5 years ago

Can confirm @callahad experience. The first time I followed the "sign in, then disconnect" steps, my passwords were still visible (I entered into Account and my avatar had disappeared, as @callahad said). After that I closed the app, reopened it and tried again to sign in and disconnect but this time everything works fine. Maybe it's a "first try" bug?

eliserichards commented 4 years ago

Needs reproduce on the latest version (v2.0.0+).