Closed Bug 895512 Opened 11 years ago Closed 11 years ago

security issue on coverflow thumb

Categories

(Firefox :: Tabbed Browser, defect)

Product:
Firefox
Component:
Tabbed Browser
Version:
22 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 755996

People

(Reporter: nospam0, Unassigned)

Details

(Keywords: csectype-disclosure) 

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

With a common install of FF22 on Win XP and history activated.

I go to my bank online account, my mail account and do my stuff.

I open the coverflow.




Actual results:


I suppose the thumbs created in the coverflow for all the websites are randomly shooted, included my bank account and my mails.
The problem is they contains either me typing my bank password with my customer login VISIBLE, me checking my mails, all my bank accounts numbers with their balances...
All that kind of things you can imagine should stay a little secret for others.


Expected results:

A dedicated http request should be use to create the thumb in order to be sure
that the created thumb do not contain session or user informations.

For my bank account, my login is 8 digit and my password 6 digit, so if my login is kwown the number of possibilities decrease very fastly.
Have fun ;)
Severity: normal → minor
Component: Untriaged → Bookmarks & History
Keywords: csec-disclosure
Priority: -- → P1
Could you elaborate what excatly you consider a problem? That the coverflow thumb is shown on your computer and that people could pass by and see it? That you share your computer with several people?
Priority: P1 → --
You shouldn't share your Firefox profile with different people, especially if you store some private data. Or use the private browsing mode.

Firefox has already some features to avoid taking thumbnails of sensitive websites, see bug 754608. But in your case, I guess this website doesn't follow these recommendations...
Component: Bookmarks & History → Tabbed Browser
Hi everyone,

To Andre Klapper :
I've got two points of view, the first one is effectivly the end user point of view if I share my computer or if the computer is share.
The second one is from a technical point of view, "Are the thumbnails access secure as the password box ?", I think the answer is no.
In my sense this is a disclosure of sensitive data and a sensitive data not secure storage that shouldn't happened.
Further this happens in a minor end user functionnality so comparing the benefits and risks, the benefit is you can have a nice thumb to access your mail
the risk is get any account hack really more easily, don't you think this is a problem ?

To Loic :

1.I have installed FF22 as a end user "next,next, finish", I'm on a default profile and I think this is like most of us in the world and even in cybercafes.
2.I do not store private data, FF store automatically some of my most important private data without security policy because this is a unwanted side effect.
3.I'm sorry but always using the private browsing mode is not user friendly.
4.I don't think this is a good policy to rely on others for his own security and as far as I remember recommendation means "should" and not "have to".
5.I REALLY think that rely on end user in software security is not a good thing.

I don't want to be rude or unpolite but you're answering me that I need to have a master in security computer to configure FF2 and call my bank in order to tell them to follow recommendations before I can go on their website OR using a prehistoric private browsing mode, I'm sorry but I won't take it as an answer.

"bug 754608 comment 23" what says Brian Smith is totally pertinent, I'm not a technician but HTTP is blind , why don't just making a new simple base request to solve that ?

Xavier
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.