Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Do not connect to accounts.google.com on enabling sync-v2 #12984

Closed
jumde opened this issue Dec 2, 2020 · 6 comments · Fixed by brave/brave-core#7346 or brave/brave-core#7480
Closed

[Security] Do not connect to accounts.google.com on enabling sync-v2 #12984

jumde opened this issue Dec 2, 2020 · 6 comments · Fixed by brave/brave-core#7346 or brave/brave-core#7480
Assignees
@AlexeyBarabash
Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/connect This requires making a network connection to a third-party service. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include security
Milestone
1.20.x - Release

Comments

@jumde
Copy link
Contributor

jumde commented Dec 2, 2020

Description

A request to accounts.google.com is initiated when enabling sync.

Steps to Reproduce

  1. Enable sync on a fresh profile

Actual result:

Request to accounts.google.com initiated

Expected result:

Should not be initiated

Reproduces how often:

Easily

Brave version (brave://version info)

1.19.33 Chromium: 87.0.4280.67 (Official Build) nightly (x86_64)

Version/Channel Information:

  • Can you reproduce this issue with the current release? No
  • Can you reproduce this issue with the beta channel? No
  • Can you reproduce this issue with the nightly channel? Yes
@diracdeltas
Copy link
Member

cc @darkdh

@jumde
Copy link
Contributor Author

jumde commented Dec 3, 2020

Fix being discussed here: https://bravesoftware.slack.com/archives/C2HJYB45N/p1606867060133000

@jumde jumde added the privacy/connect This requires making a network connection to a third-party service. label Dec 3, 2020
@AlexeyBarabash AlexeyBarabash mentioned this issue Dec 4, 2020
Merged
23 tasks
@jsecretan jsecretan added the priority/P2 A bad problem. We might uplift this to the next planned release. label Dec 7, 2020
@AlexeyBarabash AlexeyBarabash added this to the 1.20.x - Nightly milestone Dec 17, 2020
@AlexeyBarabash
Copy link
Contributor

Also reproducible on stable

Brave 1.18.70 Chromium: 87.0.4280.101 (Official Build) unknown (64-bit)

and beta

Brave 1.19.60 Chromium: 87.0.4280.101 (Official Build) unknown (64-bit)

@bbondy bbondy reopened this Dec 17, 2020
@bbondy
Copy link
Member

bbondy commented Dec 17, 2020

Re-opening since it was reverted due to a windows build failure here: brave/brave-core#7470

@AlexeyBarabash AlexeyBarabash mentioned this issue Dec 18, 2020
Merged
23 tasks
@AlexeyBarabash AlexeyBarabash removed this from the 1.20.x - Nightly milestone Dec 18, 2020
@AlexeyBarabash AlexeyBarabash added this to the 1.20.x - Nightly milestone Jan 11, 2021
@GeetaSarvadnya
Copy link

GeetaSarvadnya commented Jan 21, 2021
edited by stephendonner
Loading

Verification is in-progress


Brave | 1.20.86 Chromium: 88.0.4324.96 (Official Build) dev (64-bit)
-- | --
Revision | 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS | Windows 10 OS Version 2004 (Build 19041.746)
  • Verified the STR from the description

Reproduced the issue in 1.19.86
image

Issue is fixed in 1.20.86 - ensured that the account.google.com domain isn't listed when standalone sync is initiated
image

Reproduced the issue in 1.19.86
image

Issue is fixed in 1.20.86 - ensured that the account.google.com domain isn't listed when standalone sync is initiated
image

Verification passed on

Brave 1.20.86 Chromium: 88.0.4324.96 (Official Build) dev (64-bit)
Revision 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS Ubuntu 18.04 LTS

Verified test plan from the description
Verified no connection to accounts.google.com
image

Verified test plan from brave/brave-core#7480
Verified on 1.20.86(dev) and 1.20.85(beta)
image
image

Verified also on macOS, using the testplan from brave/brave-core#7480

Reproduced the issue in release, using:

Brave 1.19.86 Chromium: 88.0.4324.96 (Official Build) (x86_64)
Revision 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS macOS Version 11.1 (Build 20C69)

Screen Shot 2021-01-26 at 9 55 41 AM

Then verified it's FIXED, using:

Brave 1.20.90 Chromium: 88.0.4324.96 (Official Build) dev (x86_64)
Revision 68dba2d8a0b149a1d3afac56fa74648032bcf46b-refs/branch-heads/4324@{#1784}
OS macOS Version 11.1 (Build 20C69)

Screen Shot 2021-01-26 at 9 58 33 AM

Finally, a comparison of the two:

Screen Shot 2021-01-26 at 10 00 24 AM

@LaurenWags LaurenWags changed the title Do not connect to accounts.google.com on enabling sync-v2 [Security] Do not connect to accounts.google.com on enabling sync-v2 Feb 1, 2021
@LaurenWags LaurenWags mentioned this issue Feb 8, 2021
Closed
@rhee876527
Copy link

This still isn't fixed. At least on Android. Any good reason this was looked over?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexeyBarabash AlexeyBarabash

Labels
OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/connect This requires making a network connection to a third-party service. QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/include security
Projects
None yet
Milestone
1.20.x - Release
9 participants
@jsecretan @stephendonner @diracdeltas @bbondy @jumde @AlexeyBarabash @rhee876527 @btlechowski @GeetaSarvadnya