element-web icon indicating copy to clipboard operation
element-web copied to clipboard
verified publisher icon element-hq

When Security Key is changed on another client during web login, web ignores the new key and blocks

Open estellecomment opened this issue 1 year ago • 5 comments

Steps to reproduce

  1. Web session and android session are setup, with secure backup with security key. They decrypt messages, all good.

  2. web : log out.

  3. web : input username and password

  4. web : You are now here Screen Shot 2024-03-11 at 3 53 55 PM

  5. web : Click Verify with Security Key. You are now here (AccessSecretStorageDialog) : Screen Shot 2024-03-11 at 4 13 37 PM

  6. android : recreate the security key.

  7. web : input the new security key Screen Shot 2024-03-11 at 3 54 49 PM

Outcome

What did you expect?

Security key is right, I can continue to login

What happened instead?

Web client says security key is wrong, I cannot continue. Screen Shot 2024-03-11 at 3 54 49 PM

Workaround and additional info

If instead I do these same steps in a different order, I can continue : 6. android : recreate the security key. 5. web : Click Verify with Security Key. You are now in AccessSecretStorageDialog 7. web : input the new security key

Or if I do the buggy flow, but then add steps : 8. Click Go back 9. Click Verify with Security Key. You are now in AccessSecretStorageDialog 10 : input the new security key : it works

Conclusion : opening the AccessSecretStorageDialog seems to initialise something, that is then not refreshed to take into account the change that is made to secret storage.

How this happened in real life

This bug has really been encountered by a user who was blocked. She found herself logged out on web client (maybe her browser storage had been erased because of lack of space on disk?) She logged in again and could not find her security key. Since she had a session on android, she regenerated the security key on android. She input it in web and was blocked.

Operating system

macos or windows

Browser information

No response

URL for webapp

app.element.io

Application version

Element version: 1.11.59 Crypto version: Rust SDK 0.7.0 (fac36bc), Vodozemac 0.5.1

Homeserver

matrix.org

Will you send logs?

No

estellecomment avatar Mar 11 '24 15:03 estellecomment

edits : fixed a screenshot, and unmixed some steps.

estellecomment avatar Mar 11 '24 15:03 estellecomment

I am working on understanding the code around this. There's a lot of stuff :) If you have any ideas of where to look it's welcome. Otherwise I'll just carry on!

estellecomment avatar Mar 14 '24 15:03 estellecomment

Le même problème chez Element : https://github.com/element-hq/element-web/issues/27155 ?

NicolasBuquet avatar Apr 03 '24 07:04 NicolasBuquet

@NicolasBuquet you linked to this same issue?

t3chguy avatar Apr 05 '24 11:04 t3chguy

@t3chguy Yes 🤣 Sorry, a mistake on my side. You can delete my comment before we go round and round !

NicolasBuquet avatar Apr 06 '24 07:04 NicolasBuquet

Excellent bug report - thank you!

andybalaam avatar Sep 05 '24 13:09 andybalaam