data insecurity - winXP with more users -> also session restore for other users!




11 years ago
8 years ago


(Reporter: moriaii, Unassigned)



Firefox Tracking Flags

(Not tracked)


(Whiteboard: DUPEME)



11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071008 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071008 Firefox/

winxp professional with more than one user profile
user nr1 used firefox and did not closed it, than changed to user nr2. user nr2 used firefox and did not closed it but shut down the computer.
later user nr1 switched the computer on and used firefox and restored the latest session. result: two browsers, one with the session of user nr1 one with the session of user nr2 (with opened email account etc).

(in German)
Zwei Benutzerinnen waren angemeldet, beide hatten einen Firefoxbrowser geoeffnet. 
Anschliessend wurde von Benutzerin Nr1 der Computer ausgeschaltet ohne ihren Browser zu schliessen (sowie ohne den Browser der Benutzerin Nr2 zu schliessen).
Als der Computer durch die Benutzerin Nr2 anschliessend wieder angeschaltet wurde, wurde diese beim Start von Firefox gefragt, ob sie ihre vorhergehende nicht normal beendete Sitzung fortsetzen wollen wuerde. Nach Wahl der Option fortsetzen oeffneten sich zwei Browser, einer mit dem Inhalt der Sitzung von Benutzerin Nr2 und einer mit dem Inhalt von Benutzerin Nr1! 
Dies ist natuerlich bedenklich, da die Benutzerin Nr2 somit Zugriff auf Daten, Informationen und anderes von Benutzerin Nr1 hatte. 

Reproducible: Always

Steps to Reproduce:
1. two users in winXp
2. first user open firefox and some sites
3. switch to another user
4. open firefox and some sites
5. shut down the computer
6. switch the computer on
7. choose one of the users and restore session in firefox
Actual Results:  
open the sessions of two users

Expected Results:  
just open the session of the user witch is logged in in windows

more than one not-admin-user on the computer
Not a security exploit that needs to be hidden. I'm not sure how this could happen, separate user accounts get separate profiles...
Group: security
Version: unspecified → 2.0 Branch


11 years ago
Keywords: privacy

Comment 2

11 years ago
... unless there was only one instance of Firefox being used by both users due to a computer misconfiguration:

If I RunAs Firefox as a different user and then start Firefox as the currently logged in user, I actually get a another window for the already running instance instead of a new instance with my own profile. That's no Session Restore specific bug, though, but rather an XRE specific one.
Component: Session Restore → XRE Startup
Product: Firefox → Toolkit
QA Contact: session.restore → xre.startup
Whiteboard: DUPEME
Version: 2.0 Branch → unspecified


10 years ago
Component: XRE Startup → Startup and Profile System
QA Contact: xre.startup → startup

Comment 3

8 years ago
the same has happens yesterday 2010.01.31 on my pc!

I was installing the new opera browser, because the secunia PSI told me, there was an insecure version.
on Windows, I was logged and ONLY AS a standard user ( not Administrator) 
while I m installing the browser, I had to put the admin password ( because I was logged as a standard user!!!!!)
after putting the admin password and while installing the opera, open office, and vlc software, I started firefox version 3.6.13 and all the saved tabs, PASSWORD!!!!! of the ADMIN USER has opened!!!!!!

is it possible, that a standard user, that not have access to the other admin account, to access to his ( Admin ) profile???

I m using a german version of firefox version 3.6.13, Vista german
You need to log in before you can comment on or make changes to this bug.