User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 If you enter options> privacy> and uncheck "save information I enter in web page forms and the search bar" then the information is still retained (already reported bug, I believe). However, if you type in an ftp site in the address bar with a username and password included, this information is saved. Example: I want to log into users.on.net (my internet provider's site). I enter http://user:password@users.on.net/ I enter the ftp site and close the browser once finished. Unlike in IE, upon restarting the browser the username and password is retained; If I type http://u into the location bar, the username and password, along with the address to the ftp site is retained, and can be accessed by anyone with physical access to the computer. Reproducible: Always Steps to Reproduce: 1.I want to log into users.on.net (my internet provider's site). 2.I enter http://user:password@users.on.net/ 3.I enter the ftp site and close the browser once finished. Actual Results: On restarting the browser, the username and password to the site is still retained. Expected Results: Similar to Internet Explorer, it should have removed the username and password from the location bar, and just displayed the link to the ftp site I.e. http://users.on.net/ Quote from the Mozilla Bug Bounty FAQ: "In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information." I believe this bug fits into that category.

Please note: bug is edited to replace all instances of http:// with ftp:// - obviously because this is a bug on the ftp functionality of Mozilla, that is the correct term. Sorry, was tired :) > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 > > If you enter options> privacy> and uncheck "save information I enter in web page > forms and the search bar" then the information is still retained (already > reported bug, I believe). However, if you type in an ftp site in the address bar > with a username and password included, this information is saved. > > Example: > I want to log into users.on.net (my internet provider's site). > I enter ftp://user:password@users.on.net/ > I enter the ftp site and close the browser once finished. > > Unlike in IE, upon restarting the browser the username and password is retained; > If I type http://u into the location bar, the username and password, along with > the address to the ftp site is retained, and can be accessed by anyone with > physical access to the computer. > > Reproducible: Always > > Steps to Reproduce: > 1.I want to log into users.on.net (my internet provider's site). > 2.I enter ftp://user:password@users.on.net/ > 3.I enter the ftp site and close the browser once finished. > > Actual Results: > On restarting the browser, the username and password to the site is still retained. > > Expected Results: > Similar to Internet Explorer, it should have removed the username and password > from the location bar, and just displayed the link to the ftp site I.e. > ftp://users.on.net/ > > Quote from the Mozilla Bug Bounty FAQ: "In general we consider critical security > bugs to be those that allow execution of arbitrary code on users' systems or > that otherwise allow access to users' confidential information." > > I believe this bug fits into that category.

This has been previously reported and is ineligible for the bug bounty. *** This bug has been marked as a duplicate of 88771 ***