Closed Bug 628642 Opened 13 years ago Closed 11 years ago

Information leakage - Firefox 3.6.13 stores private information of https-session in browser cache/history

Categories

(Toolkit :: Places, defect)

Product:
Toolkit
Component:
Places
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bugzilla, Unassigned)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)

Firefox 3.6.13 loges and stores the text-headers and urls of "https"-sessions in its' history cache. 
This information often contain sensitive and private data of the user.
The information can be retrieved by any other user from the address bar and the history search function.   
Such as an example: Gmail message subjects are available to any other user in browser history cache after a user has logged off.
This behavior can lead to private user information leakage on a public used computer.
This vulnerability is specific to Firefox as current versions of Safari (Version 5.0.3 (6533.19.4)) and IE (Version: 8.0.6001.18702
) do not store https-sessions information into cache.  

Reproducible: Always

Steps to Reproduce:
1.Log into Gmail
2.read some mail messages.
3.Log off Gmail

Actual Results:  
4.search history for 'Gmail - ' to retrieve every private email subject that had been accessed.

Expected Results:  
User private data that had been accessed via an https-session should not be logged to browser cache, and should not be accessed via the drop-down address bar.
HTTPS page contents are not cached unless the site sends a cache-control: public header.

When I visit HTTPS pages in Safari, quit, then re-launch Safari, and then open History I still see the HTTPS pages as well as their titles. It's more obvious in Firefox because we have built-in history search in the address bar, but the data is no less accessible in Safari if you want to go looking for it. I assume IE is the same -- that's why modern browsers have "Private" modes and ways to clear your history.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → toolkit
Component: Security → Places
Product: Core → Toolkit
QA Contact: toolkit → places
I can't see us wanting to fix this.  If someone really cares about this data not being leaked, they can clear their history when the close the application.
Whiteboard: wontfix?
private browsing should be used in such cases, prevention is better than partial cleanups.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Whiteboard: wontfix?
You need to log in before you can comment on or make changes to this bug.