Closed Bug 132076 Opened 22 years ago Closed 22 years ago

quick launch and web passwords.

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 125561
Milestone:
psm2.2

People

(Reporter: ssaux, Assigned: KaiE)

References

Details

Issue details:
If 'Enable Quick Launch' is enabled, a security
risk is exposed.

In Password Manager (Edit, Preferences, Privacy &
Security, Web Passwords) if the 'Remember
passwords for sites that require me to log in' is
unchecked, then any access to secure sites should
present a userid/password challenge. The first
time a secure page is accessed, Netscape does
present the challenge and accepts the user/pass. 

However, if 'Enable Quick Launch' is enabled
(Edit, Preferences, Advanced), subsequent access
to the secured page does NOT present a security
challenge, regardless of whether a new browser
session is started or the Netscape browser process
is stopped.

We believe this could be a major security hole for
shared computers (particularly locations such as
internet cafes) as closing the browser is not
clearing the userid and password for visited sites.

This can be recreated every time and does not
occur with other browsers. Turning off 'Enable
Quick Launch' causes the security challnege dialog
to appear as expected.

   Additional computer info:      Using Netscape version 6.2.1

This form was submitted from
http://help.netscape.com/forms/bug-security.html?cp=bbpctr
with Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.4) Gecko/20011128
Netscape6/6.2.1.
Kai, Conrad, is this a known issue?
Priority: -- → P2
Target Milestone: --- → 2.2
No - when a quicklaunch session ends or profile is switched, notification is
sent out and those components holding passwords (http handler, single-signon,
wallet, etc) observe the change and flush their passwords. This is part of the
embedding smoketests and, AFAIK, works. Will need to check.
nsbeta1
Keywords: nsbeta1, nsenterprise
I guess this has the same cause as bug 125561.
Blocks: 108795
Who is triaging these nsbeta1 nominations?  We need to get +/- and an indication
of the impact ADT[1-3] on this bug.
Because this report came from a web form, we can't ask the reporter.

From the description I believe this only occurs when web passwords are used with
encryption (rather than obscuring only).

If my guess is right, this bug should be marked as a duplicate 125561.

I'll just do it. Please reopen if you disagree.


*** This bug has been marked as a duplicate of 125561 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
V
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.2 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.