Open
Bug 1263419
Opened 8 years ago
Updated 2 years ago
I am able to access the Office365 student email of the last account that was signed in without entering login credentials.
Categories
(Firefox :: Session Restore, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: cd_2222, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(1 file)
91 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160315153207 Steps to reproduce: 1) I signed in to my personal student email account, then signed out. 2) I waited until the sign out process was complete. 3) I right clicked on the back button and clicked "Automatic Log In For OneDrive". Actual results: I was logged back in to my account without having to re-enter my login credentials. Expected results: I should have been brought to a page where I may enter the password for my account to log in. (The option to automatically sign-in is not present on any other browser that I've tested.)
The video is hosted privately on my personal Google Drive account.
Comment 2•8 years ago
|
||
What happens when you use Chrome or another browser?
Comment 3•8 years ago
|
||
This is due to "session history" -- you're going back to a page that was accessed through a POST rather than a GET, so if you go back to it then the data is re-POST-ed. Otherwise you wouldn't get the same page in some cases (as in this one!). Pretty sure this is "as-designed", and it's the reason that banks and so on often tell you to close the window after logging out.
Group: firefox-core-security
Comment 4•8 years ago
|
||
Have you had a chance to see what happens on other browsers?
Flags: needinfo?(cd_2222)
(In reply to Liviu Cirdei [:liviucirdei] from comment #4) > Have you had a chance to see what happens on other browsers? (In reply to Matt Wobensmith [:mwobensmith][:matt] from comment #2) > What happens when you use Chrome or another browser? Yes, I tried using both Google Chrome and Microsoft Edge, none gave me the ability to sign in automatically after signing out and closing the browser.
Flags: needinfo?(cd_2222)
Comment 6•8 years ago
|
||
(In reply to chevonie from comment #5) > Yes, I tried using both Google Chrome and Microsoft Edge, none gave me the > ability to sign in automatically after signing out and closing the browser. In your bug description and in the attached video seems like you didn't close the Firefox browser as you did on Chrome and Edge. Can you, please, check what happens if you sign out and close Firefox? Considering Daniel's answer from comment 3 ("Pretty sure this is "as-designed", and it's the reason that banks and so on often tell you to close the window after logging out") it should work if you close the window or the browser.
Flags: needinfo?(cd_2222)
(In reply to Liviu Cirdei [:liviucirdei] from comment #6) > (In reply to chevonie from comment #5) > > > Yes, I tried using both Google Chrome and Microsoft Edge, none gave me the > > ability to sign in automatically after signing out and closing the browser. > > In your bug description and in the attached video seems like you didn't > close the Firefox browser as you did on Chrome and Edge. Can you, please, > check what happens if you sign out and close Firefox? > > Considering Daniel's answer from comment 3 ("Pretty sure this is > "as-designed", and it's the reason that banks and so on often tell you to > close the window after logging out") it should work if you close the window > or the browser. no problem. I'm still able to re-access my account without entering any user credentials after closing and reopening Firefox. I uploaded a private video of me doing so here: https://drive.google.com/file/d/0B8OTca-QdLwORVhPeEdmcUwtVk0/view?usp=sharing
Flags: needinfo?(cd_2222)
Comment 9•8 years ago
|
||
That video shows that you're using session restore (the "Reopen my windows and tabs from last time" homepage setting). That setting is a privacy disaster as noted in bug 530594 among other places. Although that bug is primarily talking about session cookies the same principle applies to the other information persisted by session restore such as session history. I can't say you're wrong that this is bad (I've been fighting bug 530594 for years), but it is intentional behavior and unlikely to be changed any time soon. I was surprised to see that my bug 529899 from the same era was recently fixed for Firefox 47 so maybe there's hope.
Flags: needinfo?(dveditz)
Reporter | ||
Comment 10•8 years ago
|
||
That's terrible, partly because I noticed for the firs time while using a public computer. Scary that someone could have just entered my account so easily. I'll have to try to remember to close Firefox and clear the cache when I'm done.
Comment 11•8 years ago
|
||
I will move the bug to Session Restore hoping it would get some attention in the near future.
Component: Untriaged → Session Restore
Depends on: eternalsession
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•