Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When Security Key is changed on another client during web login, web ignores the new key and blocks #27155

Open
estellecomment opened this issue Mar 11, 2024 · 6 comments
Open

When Security Key is changed on another client during web login, web ignores the new key and blocks #27155

estellecomment opened this issue Mar 11, 2024 · 6 comments
Labels
A-E2EE O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect

Comments

@estellecomment
Copy link

estellecomment commented Mar 11, 2024
edited
Loading

Steps to reproduce

  1. Web session and android session are setup, with secure backup with security key. They decrypt messages, all good.
  2. web : log out.
  3. web : input username and password
  4. web : You are now here
Screen Shot 2024-03-11 at 3 53 55 PM
  1. web : Click Verify with Security Key. You are now here (AccessSecretStorageDialog) :
Screen Shot 2024-03-11 at 4 13 37 PM
  1. android : recreate the security key.
  2. web : input the new security key
Screen Shot 2024-03-11 at 3 54 49 PM

Outcome

What did you expect?

Security key is right, I can continue to login

What happened instead?

Web client says security key is wrong, I cannot continue.
Screen Shot 2024-03-11 at 3 54 49 PM

Workaround and additional info

If instead I do these same steps in a different order, I can continue :
6. android : recreate the security key.
5. web : Click Verify with Security Key. You are now in AccessSecretStorageDialog
7. web : input the new security key

Or if I do the buggy flow, but then add steps :
8. Click Go back
9. Click Verify with Security Key. You are now in AccessSecretStorageDialog
10 : input the new security key : it works

Conclusion : opening the AccessSecretStorageDialog seems to initialise something, that is then not refreshed to take into account the change that is made to secret storage.

How this happened in real life

This bug has really been encountered by a user who was blocked.
She found herself logged out on web client (maybe her browser storage had been erased because of lack of space on disk?)
She logged in again and could not find her security key.
Since she had a session on android, she regenerated the security key on android.
She input it in web and was blocked.

Operating system

macos or windows

Browser information

No response

URL for webapp

app.element.io

Application version

Element version: 1.11.59 Crypto version: Rust SDK 0.7.0 (fac36bc), Vodozemac 0.5.1

Homeserver

matrix.org

Will you send logs?

No
@estellecomment estellecomment mentioned this issue Mar 11, 2024
Closed
@estellecomment
Copy link
Author

edits : fixed a screenshot, and unmixed some steps.

@estellecomment
Copy link
Author

I am working on understanding the code around this. There's a lot of stuff :)
If you have any ideas of where to look it's welcome. Otherwise I'll just carry on!

@florianduros florianduros added S-Major Severely degrades major functionality or product features, with no satisfactory workaround O-Uncommon Most users are unlikely to come across this or unexpected workflow Team: Crypto labels Mar 25, 2024
@NicolasBuquet NicolasBuquet mentioned this issue Apr 3, 2024
Open
@NicolasBuquet
Copy link

Le même problème chez Element : #27155 ?

@t3chguy
Copy link
Member

t3chguy commented Apr 5, 2024

@NicolasBuquet you linked to this same issue?

@NicolasBuquet
Copy link

@t3chguy
Yes 🤣
Sorry, a mistake on my side.
You can delete my comment before we go round and round !

@richvdh richvdh added A-Element-R Issues affecting the port of Element's crypto layer to Rust and removed Team: Crypto labels Aug 22, 2024
@richvdh richvdh added S-Minor Impairs non-critical functionality or suitable workarounds exist A-E2EE and removed S-Major Severely degrades major functionality or product features, with no satisfactory workaround A-Element-R Issues affecting the port of Element's crypto layer to Rust labels Sep 5, 2024
@andybalaam
Copy link
Contributor

Excellent bug report - thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-E2EE O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@andybalaam @estellecomment @richvdh @t3chguy @florianduros @NicolasBuquet