Closed Bug 353481 Opened 18 years ago Closed 18 years ago

Gmail attachment still available after logging out

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: michele.dg, Unassigned)

References

()

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 When downloading an email attachment from a Gmail mailbox is still possible to download the file once logged out from mail account. Reproducible: Always Steps to Reproduce: 1. Login to your Gmail account 2. Download an attachment from any email and once downloaded rename it 3. Logout from your Gmail account 4. Open "Donwloads" tool and copy the URL of your downloaded file using "Properties". 5. Paste the URL in a new tab of your browser and get your file again ! Actual Results: I got my attachment file saved on my default location, even if I logged out from my Gmail account. Expected Results: It would be advisable to get a new Gmail login window when trying to get that URL, since my session was expired. I tried the same procedure usign Firefox (1.5.0.7) on Windows XP and Linux Fedora Core 5 with the same results. MS IE6 is not affected from this bug, since when trying to get an attachment from an expired Gmail session, it replies with a Login window. I think that's an uncorrect cookie management between Gmail and Firefox, but I'm not so skilled to say. Anyway, I found this bug really annoying because of possible privacy violations in an environment where a single PC is shared between many people.
have you contacted gmail?
If you've downloaded the attachment it's in your cache and if you try to download it again right away we'll almost certainly find it there. If we do then we simply fetch it locally and never even ask the server about it. If you clear the cache then we do try to get it from Google, and Google correctly shows the gmail login screen instead of the attachment content. The result is a little surprising but valid. If Google wanted to prevent it they could set the Expires header so that we'd have to ask them if it was up-to-date, or they could send a no-cache header with the attachment
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.