Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secure_backup_required not enforced on "Phase.Passphrase" step and with manual URLs change/page reloads #23810

Open
yasinishyn opened this issue Nov 21, 2022 · 1 comment
Open

secure_backup_required not enforced on "Phase.Passphrase" step and with manual URLs change/page reloads #23810

yasinishyn opened this issue Nov 21, 2022 · 1 comment
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist Security T-Defect

Comments

@yasinishyn
Copy link

yasinishyn commented Nov 21, 2022
edited
Loading

Steps to reproduce

I found 3 ways to skip the key backup:

#### 1 Set a Security Phrase:

  1. Setup the server with the secure_backup_required .well-known setting;
  2. Login into element_web UI (or create a new account);
  3. (for existing accounts) On the Verify this device step click on Reset All and confirm the reset;
  4. On the Set up Secure Backup step select the Enter a Security Phrase option;
  5. Click on x or click outside the modal, or click on cancel;

#### 2 Set a Security Phrase -> Confirm login:

  1. Execute steps 1 to 4 from the above;
  2. Create and confirm security Phrase on the Set a Security Phrase and Confirm Security Phrase modal pages;
  3. Download or copy the backup on the Save your Security Key page;
  4. Click on x or click outside the modal, or click on cancel on the Auth confirmation page that appears after;

#### 3 Manual URL change or page refresh:

  1. Execute steps 1 to 3 from the 1 Set a Security Phrase;
  2. manually change the URL to any existing room URLs or just refresh the page.

*#### Related bug
You can't close the Set up Secure Backup window if the flow was started from the settings page even if the current user has a valid e2e setup.

Related PR: matrix-org/matrix-react-sdk#5130 (comment)

Please find attached screen recordings showing the issue

Screen.Recording.2022-11-21.at.20.51.44.mov
Screen.Recording.2022-11-21.at.20.57.59.mov

Outcome

#### What did you expect?
Sending messages, reading messages, etc... should not be possible unless the e2e key is created and the backup is saved.

#### What happened instead?
The cancel button and x is only hidden for the Set up Secure Backup and Save your Security Key modal windows and the key backup can be easily skipped in the Set a Security Phrase flow or manual URL update or/and page refresh.

Operating system

macOS

Browser information

Version 107.0.5304.110 (Official Build) (arm64)

URL for webapp

#/home, #/login, #/

Application version

1.11.14

Homeserver

matrix.org

Will you send logs?

No
@yasinishyn yasinishyn changed the title secure_backup_required not enforced unless on "Phase.Passphrase" step and manual URL change secure_backup_required not enforced on "Phase.Passphrase" step and with manual URLs change/page reloads Nov 22, 2022
@andybalaam andybalaam added S-Minor Impairs non-critical functionality or suitable workarounds exist Security O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Nov 22, 2022
@yasinishyn yasinishyn mentioned this issue Dec 8, 2022
Closed
@yasinishyn
Copy link
Author

Adding an example PR go give an idea of how this might be fixed - matrix-org/matrix-react-sdk#9729

@t3chguy t3chguy mentioned this issue Jan 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist Security T-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andybalaam @yasinishyn