Sign-in security flaw (no password required)
Astonishingly, Firefox Accounts, and everything behind them, do not require any password for sign-in/log-in. That is, I created a PW and logged in once. But no matter how many times I sign out, Mozilla's systems lets me back in with just a user name and no PW required. This utter failure at basic security is quite disturbing.
Additional System Details
- Shockwave Flash 32.0 r0
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0
Hi beskeptical, please ignore the spam message promoting an unofficial phone number.
Firefox usually saves your Firefox Account login. If you want to disconnect your Firefox Account between uses, you can use the menu for that.
Please note that locally saved logins are readily accessible when you start Firefox unless you set a Master Password. More info in this article:
Can you explain what you mean by "use the menu" to to disconnect? There is a drop-down menu in the upper right corner which includes an option for "sign-out." A normal user experience, and the the reasonable expectation, is that selecting this option would do what it says: sign-out. However, it does not, as a practical matter, because signing back in does not require re-enty of a password. This makes Firefox, a supposedly privacy oriented and security conscious group, different from every other website I've ever encountered. Thank you.
Hi following up. This remains an unresolved security flaw -- unless anyone knows a workaround. Thanks.
Did you apply a Master Password? If so, the saved login for your Firefox Account won't be used until you enter it.