Closed
Bug 389126
Opened 17 years ago
Closed 16 years ago
Session Restore circumvents Clear Private Data
Categories
(Firefox :: Session Restore, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: Klem, Unassigned)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Summary: An "unresponsive script" dialogue triggered by Firefox's session restore code prevent browser sanitisation: resulting in the disclosure of private data. No warning or error message was given. Long version: This afternoon I was researching a highly sensitive problem on the net using Firefox. During my research I collected a large number of open tabs all containing related and CONFIDENTIAL pages. At the end of the session I right clicked on one of the tabs and chose "close other tabs" from the context menu, then loaded the default homepage over the remaining page. I then ran "clear private data" using the default setting (all options excluding cookies and passwords were selected). Confident my browsing history was gone I closed the main window to terminate Firefox. The window closed revealing an "unresponsive script" dialogue which had popped under my browser session and been missed. I dismissed it by clicking the close cross then shut down the computer and left. I returned later to find a colleague browsing through the tabs which I had been researching earlier! I was using PC hardware running the current, mainstream, 2.0.0.5 Windows release of Firefox but am concerned that this frightening security & privacy failure will affect other platforms and OSs. Reproducible: Didn't try Steps to Reproduce: 1. Open many tabs in a single browser window and await the unresponsive scrip dialogue to be triggered by the crash recovery code. 2. Ignoring unresponsive script dialogue: 2a. "Close Other Tabs" 2b. "Clear Private Data" 2c. Close browser window. 3. Dismiss unresponsive script dialogue. 4. Start Firefox Actual Results: The "restore session" dialogue is presented upon restart. Electing to restore the session, Firefox reloads all the tabs which were open (presumably) when the Expected Results: No tabs were open when Firefox was terminated. The session was sanitised at shutdown therefore: No record of the previous session should be retained, no "restore session" option should be offered and the previous PRE SANITISATION session must NOT BE RECOVERABLE.
Updated•17 years ago
|
URL: any
Severity: critical → major
Component: Security → Session Restore
QA Contact: firefox → session.restore
Comment 1•17 years ago
|
||
This sounds similar to bug 388239.
Comment 2•16 years ago
|
||
I've been trying to get Session Restore to get unresponsive by adding > for (var i = 0; i < Infinity; i++); at various points. However, wherever I insert that line, the Clear Private Data dialog never comes up while the Unresponsive Script prompt is still up. In Firefox 3.0, I even never get the Unresponsive Script prompt to start with. -> WORKSFORME Then again, Clear Private Data never really managed to clear all session data in Firefox 2.0 due to bug 366572, anyway. For privacy sensitive activities, you thus better use Firefox 3.0 (and if possible your own profile at OS level which other users can't access).
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•