AOL login security breach by Firefox session restore




Session Restore
10 years ago
3 years ago


(Reporter: Edward Garner, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:needinfo])



10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20080201 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20080201 Firefox/

After logging off AOL, session restore permits automatic login to AOL account.

Reproducible: Always

Steps to Reproduce:
1) Make sure session restore is turned on.
2) Login to AOL.
3) logoff AOL.
4) Close Firefox so that session restore will appear next time FF opens.
5) Restore session - no need to login to AOL (i.e., security breach).
Actual Results:  
Access to AOL account w/o re-entering username & password.

Expected Results:  
Username & Password should be required after initiating session restore.
How soon after logging off AOL do you shutdown Firefox? The crash recovery feature takes a snapshot every ten seconds (adjustable via a hidden pref browser.sessionstore.interval) so if you killed Firefox within that interval I might expect this.

Did you kill Firefox or do you use the "show my tabs from last time" feature and shut down Firefox cleanly? If the latter then this would be a legit bug--the final state should be saved cleanly--but then you wouldn't get the "restore my session" dialog on your next startup.
Whiteboard: [sg:needinfo]

Comment 2

10 years ago
This would occur regardless of time, as much as an hour or two would pass.

I would often have two AOL sessions that were logged off.

The "show my tabs from last time" feature was not turned on.

This has been going on for several weeks. However, something just happened where it no longer happens.

I am a computer administrator and PC support person, so I know the issue was real. But I can no longer reproduce the problem.

There was also an issue with AOL where it would not close properly if there were two AOL sessions in the same window. That seems to have been fixed. I will close this bug. I need to quit AOL.
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME


3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.