Closed
Bug 935890
Opened 11 years ago
Closed 11 years ago
hacking session by copying mozilla directory
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: zetrotrack000, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 (Beta/Release) Build ID: 20131028112629 Steps to reproduce: On a Linux system, follow these steps: 1. Backup your ~/.mozilla directory 2. Close your firefox and remove your ~/.mozilla directory 3. Login to any computer (as admin) in your network, on which some user is running firefox. 4. copy its /home/<user>/.mozilla directory to your home folder with scp. 5. Run firefox again. Actual results: 1. Firefox may give you an error of crashing session. 2. Click restore session. 3. All the active tab of the user (including logged-in sessions like facebook etc.) will be opened in your computer's firefox. 4. You can also now presst Ctrl+Shift+T to restore all those tabs which that user has recently closed. 5. You can view this facebook chats in real time. 6. You have access to all of his private data. Expected results: The ~/.mozilla directory should be encrypted in such a way that after copying that directory to any other computer, at least logged-in sessions should not work, like facebook, email etc.
Reporter | ||
Updated•11 years ago
|
Severity: normal → major
If someone has physical access to your computer to be able to do this they can do much worse and still get the same data. As such this is not a security sensitive issue.
Group: core-security
Severity: major → normal
Reporter | ||
Comment 2•11 years ago
|
||
This means that the personal web accounts of limited users in a linux network is not safe from root!
Nothing to fix here, same problem for hundreds of applications as soon as someone has a physical access (or through a newtork) to your machine to steal your private data. Many exploits in Windows work like that too.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•