Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Email is case sensitive #976

Closed
aXe1 opened this issue May 22, 2019 · 8 comments
Closed

Email is case sensitive #976

aXe1 opened this issue May 22, 2019 · 8 comments
Assignees
Labels
back-end defect Issue describes a defect that negatively impacts use. effort-M Expected to take a week for engineering to complete. HIBP priority-P1

Comments

@aXe1
Copy link

aXe1 commented May 22, 2019

I registered an Firefox Account with sOmE.eMaiL@gmail.com. When I open Firefox Monitor it shows no security breaches, and when I manually do a check for some.email@gmail.com - it shows some breaches.

@groovecoder
Copy link
Member

Good catch, and thanks for filing.

This is a limitation of our hash range query API design with Have I Been Pwned. (Because hash functions are case-sensitive.)

We've discussed fixing some of this by querying for some common case variants - e.g., Some.Email@gmail.com, some.email@gmail.com, SOME.EMAIL@GMAIL.COM, etc.

But ultimately, the properties of the hash range query severely limits what we can do here.

@aXe1
Copy link
Author

aXe1 commented May 23, 2019

I think it would be great to:

  1. Warn user about this problem, so it would not be unexpected. As a user I can know nothing about how it works under the hood.
  2. Check common variants you gave. And, as far as I can imagine, the most common would be all-lower-case variant, because many services force lower-case email addresses before storing and provide case-insensitive interface for user. Are there any related issues that I can subscribe?

@Callek
Copy link

Callek commented Jun 4, 2019

Initial monitor was showing my e-mail as having multiple leaks in the past, while logging in now is showing 0 -- curious why this is
I should also note, in my case, I usually login to sites with Callek@gmail.com note the capital C, and that is what Monitor sees me as, but many DB's and such tend to normalize to callek@gmail.com

I was asked over Slack to comment here stating my own findings as well.

@groovecoder groovecoder added the defect Issue describes a defect that negatively impacts use. label Jun 4, 2019
@groovecoder
Copy link
Member

Note: when we scan from the home page, we lowercase the user input. When we scan a user's FxA email address, we don't. That will account for the discrepancy here.

It looks as though Troy normalizes email addresses to lowercase when he loads them into HIBP, so we should make this consistent, and lowercase our scans for FxA and the added email addresses too.

@Dessix
Copy link

Dessix commented Sep 7, 2019

Just saw this again- I would've been notified about a breach if I hadn't capitalized the email address when signing up for Firefox Sync.

@groovecoder
Copy link
Member

Yup, we're working on fixing the capitalization issue across the site ... #1188 (review)

@ddurst ddurst added effort-M Expected to take a week for engineering to complete. priority-P1 labels Sep 10, 2019
@groovecoder groovecoder self-assigned this Sep 11, 2019
groovecoder added a commit that referenced this issue Sep 19, 2019
for #976: tweaks to log and exit lower-casing script
@groovecoder
Copy link
Member

This should be fixed and deployed now!

@Callek
Copy link

Callek commented Sep 27, 2019

Confirmed 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
back-end defect Issue describes a defect that negatively impacts use. effort-M Expected to take a week for engineering to complete. HIBP priority-P1
Projects
None yet
Development

No branches or pull requests

5 participants