search

mozilla-lockwise / lockwise-android

Firefox's Lockwise app for Android
https://mozilla-lockwise.github.io/lockwise-android/
Mozilla Public License 2.0
623 stars 104 forks source link

Breach alerts #940

Open eliserichards opened 4 years ago

eliserichards commented 4 years ago

User Story

Dependencies

Acceptance Criteria

groovecoder commented 4 years ago

In desktop, we have a LoginBreaches module with a getPotentialBreachesByLoginGUID function. The logic in there should hopefully be descriptive and self-explanatory, but ping me with any questions about it.

It uses breach data from the fxmonitor-breaches collection from Remote Settings. That collection is populated by an updatebreaches.js cron job running on the Firefox Monitor server, which gets its data from the public HIBP JSON endpoint.

If Lockwise can't access Firefox Remote Settings, it could use the HIBP JSON directly. But the feature would definitely need a privacy review, because even though the GET request to HIBP leaks nothing about sites or credentials, but it does effectively send a ping to a 3rd party.