Closed
Bug 431547
Opened 17 years ago
Closed 17 years ago
FATAL FLAW IN SESSION RESOTRE BYPASSES SECURITY
Categories
(addons.mozilla.org Graveyard :: Developer Pages, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 345345
People
(Reporter: crospqr, Unassigned)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Hello,
I discovered a fatal flaw in Mozilla Firefox 3 beta 5, as in it preserved my yahoo login info on a thrid party computer. The following morning I rebooted the machine, restarted firefox, it opened the last session WITH MY YAHOO EMAIL ACCOUNT LOGGED ON. Now, yahoo does not allow for password save, and I had not saved the password in Firefox (which one cannot do with Yahoo anyway). The Security setting confirmed that I had not stored any personal passwords ont hat machine. Yet, Firefox 3 beta 5 did what no other borwser ever did to me before: it reopened the previous session straight to my personal email account, completely logged in, implying it had saved and stored the information.
At the very least, Yahoo generally logs someone off if not around and I had surfed at home, and logged of Yahoo after I had been on that third party machine. But, in this case, the 3d party machine, shut down for 8 hours, rebooted, Firefox restarted and, VOILA, encrypted page had been bypassed as if it was cheese...
chris
Reproducible: Always
Steps to Reproduce:
1. Work in an encrypted password access page (bank, email)
2. Shut down system,or browser, without saving the session info
3. Reboot or restart browser and accept to restore the previous session.
Actual Results:
I am back in encrypted pages.
Expected Results:
No logon, or an error refreshin webpages requiring an encrypted log on
Take me back to main logon page.
Group: security
Severity: normal → critical
Component: Session Restore → Developer Pages
Keywords: privacy
Product: Firefox → addons.mozilla.org
Updated•17 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•