Closed
Bug 629420
Opened 13 years ago
Closed 13 years ago
direct access to my on-line bank without identification
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: tchibeck, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:2.0b10) Gecko/20100101 Firefox/4.0b10 Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:2.0b10) Gecko/20100101 Firefox/4.0b10 This is the website of my bank. With Firefox 3.6.13, when I closed the browser, missing to disconnect from my bank website, it was impossible to reconnect without returning to the identification page. Now, with Firefox 4.0 Beta10, which do not record open tabs when there are several, so I have to turn on the automatic opening on the last (s) page (s) viewed, I am horrified to realize that anyone could re-open Firefox and access directly to my bank account, and process all possible operations online, including transferring the contents of my accounts to any other account, bypassing the identification page and arriving directly on my private accounts pages, without any login or password, just re-opening Firefox 4.0 Beta10. This is a DISASTER. :-( Reproducible: Always Steps to Reproduce: 1. Of course not. I wont give you my account number and pass number ! :-( 2. 3. Actual Results: 1) connect to the website i've given you 2) enter a valid account number and corresponding password number 3) the website open on the "all operations page" of the account. 4) close Firefox 4.0 Beta10 5) re-open Firefox 4.0 Beta 10 6) Your able to do whatever you want on this bank account without re-identification. 7) That did NOT happen with Firefox 3.6.13 8) :-(( Expected Results: 1) connect to the website i've given you 2) enter a valid account number and corresponding password number 3) the website open on the "all operations page" of the account. 4) close Firefox 4.0 Beta10 5) re-open Firefox 4.0 Beta 10 6) open on the login page of the bank to enter identification and pass-number It's a pity :-(
Comment 1•13 years ago
|
||
Likely due to session restore now saving HTTPS session cookies. Can you change the value of browser.sessionstore.privacy_level to 1 (via about:config)? and see if you can still reproduce this bug?
You Did it ! :-) The problem is fixed ! Maybe it would be safer to distribute this pre-version with this value pre-configurated ? Thanks a lot. Tchibeck
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 3•13 years ago
|
||
Don't save your session if you don't want to have your session saved. :)
Updated•13 years ago
|
Group: core-security
Comment 4•13 years ago
|
||
(In reply to comment #3) > Don't save your session if you don't want to have your session saved. :) The session is automatically saved by default afaik.
Updated•13 years ago
|
Resolution: FIXED → INVALID
Comment 5•13 years ago
|
||
(In reply to comment #4) > The session is automatically saved by default afaik. Bug 627472 will fix this particular case, in that scenario.
You need to log in
before you can comment on or make changes to this bug.
Description
•