424556 - Authentication bypass in Hotmail and some banking applications.

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[Alex Pietropaolo]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

When a user has two firefox browser sessions open at the same time and the user decides to check his hotmail account using one browser somehow the session cookie/id is retained by the other open browser.  The user can then open another browser session and simply type hotmail.com in the url and it completely bypasses user authentication.  

If the user is only using one browser, then everything works okay. The user is asked to authenticate to hotmail everytime he closes the browser and relaunches it. If you have two browsers which is common, then you aren't asked.

Reproducible: Always

Steps to Reproduce:
1.Open a firefox browser. No other settings need to be enabled.
2.open a second firefox browser. Nother settings need to be enabled. 
3.Using the second firefox browser, log into your hotmail account.
4.Now close the hotmail sessions and close the browser.
5.Now open another firefox browser and type hotmail.com in the URL.  You should bypass authenticaition.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

When you launch a second Firefox window, you're not launching "another browser", you're just opening a new window in the same process. Cookies are shared across these two windows. Last I heard Internet Explorer behaves differently if you launch a new window by clicking the icon on the desktop (giving each window it's own set of cookies), but works just like Firefox if you use Ctrl+N.

In any case, this isn't a security issue, and isn't a browser problem. Bug 117222 is filed on doing something like what IE does.