1304616 - Tab Restore of a logged out google accounts session restores YouTube tab in what appears to be a logged-in state

Status: NEW

(Firefox :: Session Restore, defect)

Description

[SShetty]

Attachment: Seconds_before_logged_out_google_Account_in_mozilla_browser_that_i_Ran_recursive_restore_in.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce:

Solution provided. Please do let me know if it works.

Issue:

So I had around one firefox browser open with multiple tab sessions: version - 53.0.2785.116 m, OS - windows. 

I then logged out of an already open gmail account session - the one used to log this bug. 

I then ran a recursive restore - In the sense that, I ran a restore in the current browser, that opened up multiple tabs that then lead me to restore tabs from older browsing windows now restored - all of which were irrelevant to gmail.

You don't need terrorists aka cyber criminals to hack your online profile and steal intellectual property and claim right over your copyright and identity, do you? 

It's crazy how some juvenile delinquent are allowed to cry bloody murder and terrorize the world for getting caught with soiled nappies. 



Actual results:

This restored and logged me in to a youtube session corresponding to the gmail account logged out minutes before running this test.

So the cache management probably needs some tweaking .. shared below. 

This is a major security breach. 

If you are a developer, you could tell the cache continued to carry the session id that logged you into the account, even after the logout in a subsequent session in a different tab on the same browser. 

Terrorists spoofing.. Security Breach, Life in DANGER!



Expected results:

Ideally it doesn't matter which google application you log into to access their various apps, it should log you out of each one of them if you sign out of one. At-least from my most recent experience with it on the same system and same browser which was used to reproduce this test!

Obviously, if you are a developer, you could tell, an old cache registry had no way to receive an update through any connection or communication of the current action taken. So somehow, try and hook a handler programmatically - famously called a "callback" - to communicate back with an open session of an updated state wrt the closed account using a unique key that identifies both - like say the account name? - to fix this bug.

This works in embedded cross platform world. Should be a much easier fix for browsers :)

The reason I "shared" the way to fix it, was because I saw there was no fix provided earlier for similar issues reproduced differently but reported from close to a decade. 

I also see chrome didn't have a fix: 
https://bugs.chromium.org/p/chromium/issues/detail?id=128513

This approach will work. Should be an easy DIY!  

Thanks. 

PS: It probably doesn't need a recursive restore to reproduce this but I hate testing and couldn't find time to test more. I grudgingly run my own unit tests lazily. I accidentally bumped into an issue. And had a solution that you could use. HTH! If not, not a bad technique to steal, study and reuse!

Comment 1

[SShetty]

Attachment: Restored_Mozilla_session_logs_you_into_logged_out_google_Account.png

Comment 2

[SShetty]

I don't need credit. I understand you need it more. It will do, if its put to good use. Don't expect more. My interest in Mozilla development ends with this. Please do not stalk or attempt hacking my account. The feds are watching.

Comment 3

[Michelle Funches - QA]

Security Group - please review and advise

Comment 4

[Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo]

Updating the steps to reproduce here:

1. Start with a new Firefox session using a new profile and a google account with mail, drive, and youtube
2. Log into gmail
3. Using the "grid pane" in the upper right of the Gmail window log into YouTube and Drive in separate tabs
4. Log out of the gmail tab
5. Close the other two google tabs
6. Select History > Recently Closed Tabs > Restore All Tabs
7. Observe that gmail and drive tabs have the google login prompt, but youtube tab shows the logged in view
8. Click on 'subscriptions' in youtube tab and see that you get sent to the google login

Expected behavior

When restoring the tabs the youtube tab should had gone to the google login

I don't know if this is our issue, or google/youtube's

Removing metadata which should be set by engineering triage.

Comment 5

[SShetty]

Is this fixed? 

The problem occurs when you run a restore of the current browser that holds tabs that restores old browsers with logged in google account sessions that doesn't reflect the fact that you just logged out of their account from the current browser before running restore.

Comment 6

[Daniel Veditz [:dveditz]]

Received a bounty request for this in mail

Comment 7

[Al Billings [:abillings - ex-MoCo]]

(In reply to SShetty from comment #5)
> Is this fixed? 

No. This bug is still marked "new" and you would see a check-in comment if it was fixed.