Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox IT Technology

Firefox Says Its Revamped SmartBlock Won't Break Facebook Login Buttons Anymore (theverge.com) 32

Firefox 90 introduces the next version of SmartBlock, the browser's tracker blocking mechanism built into its private browsing and strict modes, which now has improvements designed to prevent buttons that let you log into websites using your Facebook account from breaking, Mozilla announced on Tuesday. From a report: SmartBlock was first introduced with Firefox 87 in March, and if you aren't familiar, here's Mozilla's description of how it works, from the company's blog: "SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy. SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact." Sometimes, though, the feature would break Facebook login buttons. In a new blog post, Mozilla's Tom Wisniewski and Arthur Edelstein explain why this would happen, using an example of trying to log in to Etsy.
This discussion has been archived. No new comments can be posted.

Firefox Says Its Revamped SmartBlock Won't Break Facebook Login Buttons Anymore

Comments Filter:
  • by Anonymous Coward on Tuesday July 13, 2021 @02:03PM (#61579059)
    do us all a favor!
  • by Carewolf ( 581105 ) on Tuesday July 13, 2021 @02:17PM (#61579109) Homepage

    Using a login from one site to logon to another site, is dangerous and seriously bad behavior, much worse than even sharing passwords. If we can we SHOULD make it nonfunctional.

    • by Carewolf ( 581105 ) on Tuesday July 13, 2021 @02:19PM (#61579119) Homepage

      Break Google and Apple logins as well though ;)

    • Please provide specific technical reasons as to why you believe OAuth2 to be "seriously bad behavior".

      Heck, you could even describe Kerberos as "using a login from one site to logon to another site".

      • by raymorris ( 2726007 ) on Tuesday July 13, 2021 @03:22PM (#61579271) Journal

        It's very simple - and abused / exploited often enough.

        You go to my site.
        You click "login with Google".
        You get a div/iframe with Google's logo asking for your Google user name and password.
        You enter your Google username and password.

        I now have your Gmail login, which I use to reset your bank password. You *ASSUMED* that your username and password was going to Google because you saw Google's logo. I can right-click save Google's logo and put in on my form very, very easily. Since the login form is embedded in my page, I can send that info wherever I want.

        What's safer (though not perfect), is how OAuth is used by Onelogin and similar. FIRST, you go to Onelogin. You login, then on the Onelogin page you have a link to Service Now or whatever and you click the site you want to go to AFTER you logged in. Not before.

        Even where the third-party site links to the authentication provider, it's one XSS away from the bad guy getting your Google or Apple creds. New XSS vulnerabilities are discovered every month.

        If you want a login that approaches actual security you need to public keys. That way, no site gets your secret, so they can't use it to log in to another site. Rather, they use your public key (which is under public, not secret) to verify that *you* have your private key.

        • You get a div/iframe with Google's logo asking for your Google user name and password.

          ...but the domain will be wrong.

          This page (with google logo and everything) will have an url that will look something like
          https://www.google.com.raymorr... [dynhost.org]
          Not the usual:
          https://accounts.google.com/ [google.com]

          Also, if the user is already logged into google, OAuth2 won't require a full log-in starting from scratch, instead it will give a list of currenlty logged in account to pick from and eventually re-ask the password for that account to confirm the OAuth2 authentication.

          Even if the user is distracted and doesn't pay

          • You're right that password managers won't automatically fill it in, unless of course the attacker takes advantage of some truly horrid URL parsing bugs in certain password managers. (Strstr() anyone?).

            The user won't, can't SEE the URL of it's iframe like medium.com and other sites do.

            On a site like medium, the only indication the user has of anything weird is that the password manager doesn't fill it in automatically, IF the user is using a password manager AND the attacker hasn't looked at the Caves for th

            • The user won't, can't SEE the URL of it's iframe like medium.com and other sites do.

              Hiding the URL of an OAuth provider by wraping it inside an iframe would be a very bad practice.
              I would have expected this practice to be at minimum discouraged by OAuth providers, or at best detected and rejected.

              It turns out that all providers I use clearly open their log-in or confirmation screen in a separate page.

              IF the user is using a password manager

              Current best practices encourage the use of a password manager, and TFA's Firefox comes with one (Lockwise) out of the box.

    • Comment removed based on user account deletion
    • It depends. My government has several sites that i can log into (taxes, Healthcare, etc.).

      I can log in any of those sites by using that site's specific account, or I can click the govconnect button, which asks me which site's credentials I want to use, redirects me to the chosen one to log in, and then brings me back on the first site.

      It's great, because i can use one single account to log into all of them, but only because they are all gov sites, which drastically reduces the risks and privacy concerns.

      Usi

  • I mean "blocking" any domains with BookFace in the URL.

    I do log into BookFace a couple times a year, just to catch up with friends and family. I have a completely separate browser to do that. It's kind of a pain, but I do get to see some nice pictures.

  • The whole point of the anti-tracking tech is to prevent the tracking. If you 'login with facebook' the federated login process means they are going to be able to get all the tracking info the could want (well they always want more but you know what I mean). If a user is going to chose that option - they have more or less already consented to FB tracking them on that domain. They should just probably not use the private/anti-tracking mode there.

    Mozilla should not be getting into a giant cat-and-mouse with b

    • Dude if it makes you STOP SPAMMING, i'll give you a free private email. Just send me a message over slashdot. You can then use it to register to all the various other social media sites. But for the love of god STOP SPAMMING.
  • Just add a popup (Score:5, Insightful)

    by PPH ( 736903 ) on Tuesday July 13, 2021 @03:14PM (#61579263)

    "You selected 'Private Browsing' mode. Why are you using Facebook?"

  • Just what I wanted. The ability to log into Facebook again.
    Dear Mozilla,
    That isn't the reason your browser is tanking in user share.
  • It should be obvious from the title that I don't use facebook logins, or for that matter facebook at all (where possible).

    So I wasn't aware that it was broken. Maybe it should have stayed broken. lol

  • Firefox is my primary browser on mobile and desktop. I appreciate their focus on customer privacy. I haven't upgraded to the latest version because they removed tab tiling, but hopefully that feature will be back soonðYz

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...