Closed Bug 465277 Opened 16 years ago Closed 16 years ago

Back button reveals personal account information for online banking after logout

Categories

(Core :: DOM: Navigation, defect)

1.9.0 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 441751

People

(Reporter: alfred.peng, Unassigned)

Details

Attachments

(1 file)

Following is the email for a potential security issue of Firefox 3.0.4 on OpenSolaris reported by Bob (cc him into this bug).

This issue is related to online banking with Firefox. I've tried DBS online banking system (https://internet-banking.dbs.com.sg/IB/Welcome) just now with Firefox 3.0.4 and IE 6.0 on WindowsXP and a similar problem can be identified. After I logged out, the "back" navigator could bring me to the last page I visited with my personal banking information and it flashed to another page quickly, which says that I need to re-login. However, I can still see part of the information in this short period of time. Bob's case is even worse as you can see.

As Bob mentioned, this problem can't be reproduced on Firefox 2.0.0.x on Solaris 10 system.

>>>>> The bank I use is a major Irish bank AIB.
>>>>> Their internet banking is accessed at:-
>>>>> https://internetbanking.aib.ie/hb1/roi/presign.jsp
>>>>> (I've been using this service for years)
>>>>>
>>>>>
>>>>> After I had completed my transactions, I successfully logged out.
>>>>> I hit the back button in the toolbar and was brought back into the 
>>>>> page showing the  balance of my bank accounts.
>>>>>
>>>>> This is a security issue, from the logout confirmation page, the 
>>>>> back button on firefox use to (correctly) bring the user back to 
>>>>> the login page.
>>>>>
>>>>> When the user is brought back to the page showing their balances, 
>>>>> it appears to be read only, i.e. attempting to perform any action 
>>>>> results in the user being brought back to the login page. However, 
>>>>> selecting back in the toolbar again - results in the balances 
>>>>> being shown again.
>>>>> I consider the issue to be a blocker for the upcoming release.
>>>>> I've never logged a security bug before,  I'm not sure what 
>>>>> internal protocols we have - can you investigate / log bug as 
>>>>> appropriate.
>>>>>
>>>>> I have confirmed that the issue occurs on
>>>>>
>>>>> opensolaris 0811-rc1b with firefox SUNWfirefox   0.5.11-0.101    
>>>>> installed  u--- pkg:/SUNWfirefox@0.5.11,5.11-0.101:20081104T025115Z
>>>>>
>>>>> The issue also occurs on gnome2.24 build nv_103
>>>>> VERSION:  3.0.3,REV=110.0.4.2008.11.04.05.21
>>>>>
>>>>>
>>>>> The issue does not occur on solaris 10u6 using firefox 2.0.
>>>>>
>>>>> Clearing all private data under preferences, privacy, clear now - 
>>>>> appears to fix the problem after you have logged out.
>>>>> of the internet banking website.

Not sure whether the bug is in the correct component. I mark it as security sensitive for now. Please feel free to re-categorize it for proper tracking.
Not sure how this is a bug at all: going back always takes you to the pages you've already been on.
Logging out of accounts, generally does not allow a user to log back in by selecting the back button. e..g gmail.
This issue mentioned in the original bug report, does not occur with FF2. Using FF2, logging out of the online bank account, and selecting back the user is brought back to the online banking login page. The user is NOT brought back to the page showing their bank balances.
To be clear: you are not logged back in to the website: we are merely displaying the results of navigation you have already performed.
Summary: Firefox reveals personal account information for online banking after logout → Back button reveals personal account information for online banking after logout
correct, when you select the back button - the bank balances are displayed, but user cannot take any actions on the bank accounts.

The issue has also been reproduced on FF3.0.4 on MacOS X   
it's not reproducible with Safari 3.1.2 on Mac OS X. 
issue does not occur on solaris 10u6 using firefox 2.0
I'm going to open this up because I'm pretty sure it's by design and could use more eyes anyway.
Group: core-security
Component: Networking: Cache → Document Navigation
QA Contact: networking.cache → docshell
> we are merely displaying the results of navigation you have already performed.

We shouldn't be if it's no-store or if it's SSL and no-cache.  In those cases we should be hitting the server, even on back.  Is either one the case here?
(In reply to comment #0)
> This issue is related to online banking with Firefox. I've tried DBS online
> banking system (https://internet-banking.dbs.com.sg/IB/Welcome) just now with
> Firefox 3.0.4 and IE 6.0 on WindowsXP and a similar problem can be identified.
> 

Need to make myself clear here,  I can reproduce the similar problem with Firefox 3.0.4 on WindowsXP and IE 6.0 doesn't have this problem. The "back" navigator won't reveal the personal information after logout with IE.
not sure if this information is useful, getting the headers for the login page shows
wget --server-response --no-check-certificate --save-header https://internetbanking.aib.ie/hb1/roi/presign.jsp
WARNING: Certificate verification error for internetbanking.aib.ie: self signed certificate in certificate chain
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Tue, 18 Nov 2008 12:29:37 GMT
  Server: IBM_HTTP_Server
  Cache-Control: no-store
  Pragma: no-cache
  Expires: -1
  Content-Length: 6726
  Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Content-Type: text/html;charset=ISO-8859-1
  Content-Language: en
Length: 6,726 (6.6K) [text/html]
I need the headers from the page that's not supposed to be disclosed, not from the login page.  If I wanted the login page, I could get it myself.

Alfred, since a login is needed to see the problem you're going to have to do some debugging.  In particular, get some HTTP logs and see what CanSavePresentation returns at various points.  That's a start; then we'll see.
I've just attached a trace of a simple session. It's been sanitized to remove the bodies of requests/responses and also references to Cookies and login information but I think there is enough information contained for what is needed.

While I can reproduce this issue on a new installation, where pressing the Back button causes the previously visible page to be rendered, in my normal user account I see a different (and more expected) behaviour.

My normal user account, has a set of preferences, etc. that have been around a long time. When I use this profile, I cannot reproduce this issue, meaning that when I try pressing the back button on this version I get a prompt asking me to confirm resending of form data.

Is there a preference setting that causes such a change in behaviour? It would appear that the default value has changed in the latest builds, but I could be mistaken - I'm a user here, and don't know enough about how Firefox works to determine what might be having this effect.
OK.  All those are cache-control:no-store, so we shouldn't be showing them on back.  If they are, something is really broken.

Could someone who can reproduce this possibly hunt down a one-day regression range, assuming this is a regression from Firefox 2?
Bug 441751 gives a one-day regression range, is it a dupe?
see bug 441751 comment #28

Can somebody verify it on Windows or Mac ?
As the DBS online banking system I was using doesn't have a good support for my Solaris box, I'll find a Windows to have a try later.
(In reply to comment #13)
> As the DBS online banking system I was using doesn't have a good support for my
> Solaris box, I'll find a Windows to have a try later.

It might not help, because we don't know whether DBS online banking system has same cache-control in http header as AIB does.
Different http headers will lead to different results.
Robert Kinsella did the test on Windows.
The bug is reproducible on AIB's website by using
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007/07/2007-07-09-04-trunk/firefox-3.0a7pre.en-US.win32.installer.exe
The bug is not reproducible by using
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007/07/2007-07-08-04-trunk/firefox-3.0a7pre.en-US.win32.installer.exe

So it's a dupe of 441751. Let's move our discussion there.

Please check bug 441751 comment #52.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.