Closed Bug 629420 Opened 11 years ago Closed 11 years ago

direct access to my on-line bank without identification

Categories

(Firefox :: Security, defect)

x86
Windows Vista
defect
Not set
major

Tracking

()

VERIFIED INVALID

People

(Reporter: tchibeck, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows NT 6.0; rv:2.0b10) Gecko/20100101 Firefox/4.0b10
Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:2.0b10) Gecko/20100101 Firefox/4.0b10

This is the website of my bank. With Firefox 3.6.13, when I closed the browser, missing to disconnect from my bank website, it was impossible to reconnect without returning to the identification page. Now, with Firefox 4.0 Beta10, which do not record open tabs when there are several, so I have to turn on the automatic opening on the last (s) page (s) viewed, I am horrified to realize that anyone could re-open Firefox and  access directly to my bank account, and process all possible operations online, including transferring the contents of my accounts to any other account, bypassing the identification page and arriving directly on my private accounts pages, without any login or password, just re-opening Firefox 4.0 Beta10.  This is a DISASTER.  :-(

Reproducible: Always

Steps to Reproduce:
1. Of course not. I wont give you my account number and pass number ! :-(
2.
3.
Actual Results:  
1) connect to the website i've given you
2) enter a valid account number and corresponding password number
3) the website open on the "all operations page" of the account.
4) close Firefox 4.0 Beta10
5) re-open Firefox 4.0 Beta 10
6) Your able to do whatever you want on this bank account without re-identification.
7) That did NOT happen with Firefox 3.6.13
8) :-((

Expected Results:  
1) connect to the website i've given you
2) enter a valid account number and corresponding password number
3) the website open on the "all operations page" of the account.
4) close Firefox 4.0 Beta10
5) re-open Firefox 4.0 Beta 10
6) open on the login page of the bank to enter identification and pass-number

It's a pity :-(
Likely due to session restore now saving HTTPS session cookies.

Can you change the value of browser.sessionstore.privacy_level to 1 (via about:config)? and see if you can still reproduce this bug?
You Did it ! :-)
The problem is fixed !
Maybe it would be safer to distribute this pre-version with this value pre-configurated ?
Thanks a lot.
Tchibeck
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Don't save your session if you don't want to have your session saved. :)
Group: core-security
(In reply to comment #3)
> Don't save your session if you don't want to have your session saved. :)

The session is automatically saved by default afaik.
Resolution: FIXED → INVALID
(In reply to comment #4)
> The session is automatically saved by default afaik.

Bug 627472 will fix this particular case, in that scenario.
Depends on: 627472
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.