Closed aXe1 closed 4 years ago
Good catch, and thanks for filing.
This is a limitation of our hash range query API design with Have I Been Pwned. (Because hash functions are case-sensitive.)
We've discussed fixing some of this by querying for some common case variants - e.g., Some.Email@gmail.com, some.email@gmail.com, SOME.EMAIL@GMAIL.COM, etc.
But ultimately, the properties of the hash range query severely limits what we can do here.
I think it would be great to:
Initial monitor was showing my e-mail as having multiple leaks in the past, while logging in now is showing 0 -- curious why this is
I should also note, in my case, I usually login to sites with Callek@gmail.com
note the capital C, and that is what Monitor sees me as, but many DB's and such tend to normalize to callek@gmail.com
I was asked over Slack to comment here stating my own findings as well.
Note: when we scan from the home page, we lowercase the user input. When we scan a user's FxA email address, we don't. That will account for the discrepancy here.
It looks as though Troy normalizes email addresses to lowercase when he loads them into HIBP, so we should make this consistent, and lowercase our scans for FxA and the added email addresses too.
Just saw this again- I would've been notified about a breach if I hadn't capitalized the email address when signing up for Firefox Sync.
Yup, we're working on fixing the capitalization issue across the site ... https://github.com/mozilla/blurts-server/pull/1188#pullrequestreview-285003145
This should be fixed and deployed now!
Confirmed :tada:
I registered an Firefox Account with
sOmE.eMaiL@gmail.com
. When I open Firefox Monitor it shows no security breaches, and when I manually do a check forsome.email@gmail.com
- it shows some breaches.