Closed aXe1 closed 4 years ago
groovecoder
commented
5 years ago Good catch, and thanks for filing.
This is a limitation of our hash range query API design with Have I Been Pwned. (Because hash functions are case-sensitive.)
We've discussed fixing some of this by querying for some common case variants - e.g., Some.Email@gmail.com, some.email@gmail.com, SOME.EMAIL@GMAIL.COM, etc.
But ultimately, the properties of the hash range query severely limits what we can do here.
aXe1
commented
5 years ago I think it would be great to:
Callek
commented
5 years ago Initial monitor was showing my e-mail as having multiple leaks in the past, while logging in now is showing 0 -- curious why this is
I should also note, in my case, I usually login to sites with Callek@gmail.com note the capital C, and that is what Monitor sees me as, but many DB's and such tend to normalize to callek@gmail.com
I was asked over Slack to comment here stating my own findings as well.
groovecoder
commented
5 years ago Note: when we scan from the home page, we lowercase the user input. When we scan a user's FxA email address, we don't. That will account for the discrepancy here.
It looks as though Troy normalizes email addresses to lowercase when he loads them into HIBP, so we should make this consistent, and lowercase our scans for FxA and the added email addresses too.
Dessix
commented
5 years ago Just saw this again- I would've been notified about a breach if I hadn't capitalized the email address when signing up for Firefox Sync.
groovecoder
commented
5 years ago Yup, we're working on fixing the capitalization issue across the site ... https://github.com/mozilla/blurts-server/pull/1188#pullrequestreview-285003145
groovecoder
commented
4 years ago This should be fixed and deployed now!
Callek
commented
4 years ago Confirmed :tada:
I registered an Firefox Account with
sOmE.eMaiL@gmail.com. When I open Firefox Monitor it shows no security breaches, and when I manually do a check forsome.email@gmail.com- it shows some breaches.