Closed Bug 423735 Opened 16 years ago Closed 16 years ago

AOL login security breach by Firefox session restore

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: egarner123, Unassigned)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

After logging off AOL, session restore permits automatic login to AOL account.

Reproducible: Always

Steps to Reproduce:
1) Make sure session restore is turned on.
2) Login to AOL.
3) logoff AOL.
4) Close Firefox so that session restore will appear next time FF opens.
5) Restore session - no need to login to AOL (i.e., security breach).
Actual Results:  
Access to AOL account w/o re-entering username & password.

Expected Results:  
Username & Password should be required after initiating session restore.
How soon after logging off AOL do you shutdown Firefox? The crash recovery feature takes a snapshot every ten seconds (adjustable via a hidden pref browser.sessionstore.interval) so if you killed Firefox within that interval I might expect this.

Did you kill Firefox or do you use the "show my tabs from last time" feature and shut down Firefox cleanly? If the latter then this would be a legit bug--the final state should be saved cleanly--but then you wouldn't get the "restore my session" dialog on your next startup.
Whiteboard: [sg:needinfo]
This would occur regardless of time, as much as an hour or two would pass.

I would often have two AOL sessions that were logged off.

The "show my tabs from last time" feature was not turned on.

This has been going on for several weeks. However, something just happened where it no longer happens.

I am a computer administrator and PC support person, so I know the issue was real. But I can no longer reproduce the problem.

There was also an issue with AOL where it would not close properly if there were two AOL sessions in the same window. That seems to have been fixed. I will close this bug. I need to quit AOL.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.