Closed
Bug 595178
Opened 14 years ago
Closed 14 years ago
Dismissed "Remember password?" notification sticks around for too long
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: dao, Unassigned)
References
Details
(Keywords: privacy, regression)
Scenario: You use somebody else's / a public PC to check for email. You enter your address and password, login, dismiss the "Remember password?" notification, read your mail, log out and leave. Anyone would now be able to click the key icon in the location bar, remember the password and login to your account or open the password manager to read your password.
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Reporter | ||
Updated•14 years ago
|
Keywords: regression
Summary: "Remember password?" notification sticks around for too long → Dismissed "Remember password?" notification sticks around for too long
Comment 1•14 years ago
|
||
Same deal as bug 595175 - they only last 10 seconds more than the previous notifications did (30s vs. 20s), but there's no way to completely remove them.
Reporter | ||
Comment 2•14 years ago
|
||
As far as I remember a few page loads (e.g. the logout hopefully) used to remove the info bar automatically too.
Comment 3•14 years ago
|
||
I can confirm the following security issues with gmail, all run from a new profile. 1. Logon to gmail, ignore or dismiss the remember password notification. logout within 30 seconds - scenario where user sees immediately they have no new mail. 2. From the logout screen the password notification remains long after 30 seconds 3. Click the password notification and click remember 4. Double click the gmail username field, form fill has remembered the username 5. F5 or refresh the page and the password is filled in, allowing logon to an unauthorised user after the real user has logged off Do the same but remain within gmail for > 30 seconds, the password notification is removed at logoff Mozilla/5.0 (Windows NT 5.1; rv:2.0b6pre) Gecko/20100911 Firefox/4.0b6pre
Comment 4•14 years ago
|
||
(In reply to comment #2) > As far as I remember a few page loads (e.g. the logout hopefully) used to > remove the info bar automatically too. That happens with the new notifications too - any page loads after the timeout has elapsed will remove it. The old notifications use persistence++ (ignore the first page load) and timeout: 20 (show for at least 30 seconds), while the new notifications just use timeout: 30. The logic for both notification types is identical: http://hg.mozilla.org/mozilla-central/annotate/f7c46270db80/toolkit/content/widgets/notification.xml#l191 http://hg.mozilla.org/mozilla-central/annotate/f7c46270db80/toolkit/content/PopupNotifications.jsm#l252 http://hg.mozilla.org/mozilla-central/annotate/f7c46270db80/browser/base/content/browser.js#l4296
Reporter | ||
Comment 5•14 years ago
|
||
Ok, assuming this all works as expected (e.g. the page loads are counted correctly, it doesn't matter when the popup was dismissed), I suppose the timeout makes the difference. I always had the impression that the notification bar magically disappeared when it seemed about right. Why was the timeout increased in the first place?
Comment 6•14 years ago
|
||
No good reason, AFAICT. The patch in bug 595175 re-adjusts it.
Reporter | ||
Comment 8•14 years ago
|
||
This should block. If bug 595175 fixes it, great, but it should block.
blocking2.0: - → ?
Comment 9•14 years ago
|
||
They're not duplicates, they're just related.
Comment 10•14 years ago
|
||
Though maybe we can consider this FIXED by http://hg.mozilla.org/mozilla-central/rev/6095c6b1f50f .
Comment 11•14 years ago
|
||
Shouldn't the password dialog have an option "don't save now", as the notification bar had? It is clear that there is a difference between dismissing by ignoring the dialog and actually refusing it. Say I log into my email on someone else's computer so that he can read an email of mine... I'd have to leave the site and return in order to prevent that someone from possibly stealing my password. It may seem a bit paranoia, but I think it is understandable that people would think that way.
Reporter | ||
Comment 12•14 years ago
|
||
(In reply to comment #11) > Shouldn't the password dialog have an option "don't save now", as the > notification bar had? It is clear that there is a difference between dismissing > by ignoring the dialog and actually refusing it. Say I log into my email on > someone else's computer so that he can read an email of mine... I'd have to > leave the site and return in order to prevent that someone from possibly > stealing my password. It may seem a bit paranoia, but I think it is > understandable that people would think that way. I agree, it's something this notification lacks. Please file a new bug, though. The timing issue has apparently been fixed in bug 595175.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
You need to log in
before you can comment on or make changes to this bug.
Description
•