216027 - Online banking security issue

Status: RESOLVED EXPIRED

(Core :: Security, defect)

Description

[Malcolm Reeves]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

You need to be with bank of scotland and use online banking to be able to see
this problem.  Alternately you could be with legal and general
(www.leaglanadgeneral.com).  With either of these the banking page does not
close automatically and the back button can be used to show pages with account
details.  The pages show as being secure so I think this is due being cached in
memory rather than disk.  With IE Bank of Scotland closes the browser.  With
mozilla it seems to go back 1 page.  I haven't try legal and general in IE. 
Note halifax bank at close goes to new page BUT back button does not reveal
account details but goes to login page instead.  Again you need to be with the
halifax (www.halifax.co.uk) to test this.

Reproducible: Always

Steps to Reproduce:
1. Login to online banking with Bank of Scotland or Legal and General
2. Display Account statement etc.
3. Log off
4. Use back button

Actual Results:  
Account details are visible

Expected Results:  
Not displayed account details.  Log off should have closed tab.

Tab extensions installed if this is relavent.

I think the is not a security problem that should be secret since the work
around looks to be to close mozilla completely after banking in order to clear
memory cache.

Comment 1

[Mike]

I can reproduce produce the same problem.
I log onto my account, and it displays my account info.
I click Logoff and it takes me to the home page again.
If I click 'Back' at this point i can view the account information.

Comment 2

[simon annear]

Is this more a problem with the banking application - should the bank not be
setting the expiration of the pages - forcing mozilla to try and reload them,
rather than caching them?

Comment 3

[Malcolm Reeves]

"Is this more a problem with the banking application" yes the bank could create
code that works correctly since the Halifax code does.  However, it is one area
where IE differs from Mozilla and Mozilla comes off worse.  Hence I'd suggest
that the code is changed if only to correct that.

Banks seem to have a funny idea of security.  They write bad code then compound
it by saying you must use IE the browser with the most security holes.  If you
tell tham about the security hole they just say use IE (been there, done that,
got the T-shirt :-()

Comment 4

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 5

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.