Security problem with Firefox and http sites

RESOLVED DUPLICATE of bug 117222

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 117222
2 years ago
2 years ago

People

(Reporter: Viglundur, Unassigned)

Tracking

43 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

(Reporter)

Description

2 years ago
Created attachment 8657877 [details]
Dear Sirs - Firefox security bug.docx

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240

Steps to reproduce:

See attached word 2010 file for description


Actual results:

See attached word 2010 file for description


Expected results:

See attached word 2010 file for description
Comment on attachment 8657877 [details]
Dear Sirs - Firefox security bug.docx

From the attachment:

> Dear Sirs.
> OS I have: Windows 10 Home
> Browser: Mozilla Firefox (fully updated as of 6th of Sept. 2015)
> PC: Intel Core i5, Lynnfield (4 years old), 8 Gb RAM, 1 Tb WD HD (new)
>
> I am a university engineer with programming knowledge and interest in computer security.
>
> A: Security problem I see with Firefox:
> Under very specific circumstances one can open somebody else's https web page (on-line banking, e-mail, etc.) in Firefox without entering the username/password/authentication code. I think this should not happen.
>
> B: Circumstances this could happen:
> a) If you are in a net-café and use online banking, e-mail or any such https web site, and (possibly under pressure) you do net exit very properly your site, and leave the Firefox web-browser on. The next user of the net-café computer has the same on-line bank or e-mail service, and enters it‘s www address. Bingo, your https web site opens to him, be it banking, e-mail, or any such confidential information.
>
> b) If you are in your home and use online banking, e-mail or any such https web site, and your co-renter which you know little, asks to borrow your computer, you do net exit very properly your site (you are under pressure, he‘s standing over you), and leave the Firefox web-browser on. He happens to have the same on-line bank or e-mail service, and enters it‘s www address. Bingo, your https web site opens to him, be it banking, e-mail, or any such confidential information.
>
> c) Your girlfriend who knows you only modestly moves into your apartment. Asks to borrow your computer, you currently working on it do net exit very properly your site (you are under pressure, she‘s standing over you), and leave the Firefox web-browser on. She happens to have the same on-line bank or e-mail service, and enters it‘s www address. Bingo, your https web site opens to her, be it banking, e-mail, or any such confidential information. She may see financial information (or e-mails) that is not good for your relationship at this point.
>
> C: How to replicate security problem:
>
> 1)    Open your Firefox web-browser.
> 2)    Enter www address for your https site.
> 3)    Enter security info (username/password/other) and open site.
> 4)    Open a new tab in Firefox and enter any web site address.
>
> At this point you have to hurry out of the net-café (see a) above), or the co-renter or new girlfriend asks to use your PC.  (see b) and c) above).
>
> 5) Switch off the previous https tab (on-line banking etc.) by clicking on ,,x“ on the upper left tab button (instead of using ,,sign-out“ command button on https web site).
> Now you leave the computer and think its safe and leave the room.
> 6) The new person happens to have the same on-line bank or e-mail service and enters that information in the current tab.
> 7) Presto, your https website opens without entering the username/password/authentication code. And everything there can be seen/accessed (think on-line banking) by that person.
>
> D: In a nutshell:
> The Firefox web browser does not sever its https connection if you only turn off the https web page by selecting ,,x“ on the upper left tab. It keeps the connection so that if you start a new tab (without turning off the browser in the meantime) and only enter the www address it automatically enters the https site without username/password. Strictly speaking you should always shut down Firefox after visiting https sites but not everybody does that (always). As a person who knows many people who are clumsy with computers (think old folks, or those who are not technically literate), and in view of the fact that hundreds of million of such people use Firefox every day, I think that this security problem is bound to happen, and that regularly. Hopefully you will change Firefox to make it safer, as I know you are continously working on.
>
> Sincerely yours,
>   Viglundur Thor Viglundsson, MSc

<redacted>

>   e-m: viglundur10@hotmail.com
Attachment #8657877 - Attachment is obsolete: true
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 117222

Updated

2 years ago
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.