IMPORTANT !!!! - Show my windows and tabs from last time - MASSIVE SECURITY ISSUE !
I recently upgraded from Windows 7 'Firefox 35 to 36' and noticed that after a restart i was still logged into pages days later after reloading Firefox, and I have just tested on another laptop which is running Firefox 35 that this is not an issue and seems only to be an issue in Firefox 36.
I then realised this is a 'Massive Security Issue' and did a test logging into my bank account then closing down Firefox 36 and restarting my laptop and found that i was still actually logged into my bank account free to carry on banking as normal. - THIS IS A MAJOR CONCERN NEEDS RECTIFYING ASAP !
Imagine the scenario of a user with basic knowledge using a public computer thinking that by closing down Firefox and the machine completely without clearing cookies they would be secure and totally logged out, but not the case and totally open to any other users to use the account to their advantage.
I personally have found a couple of work arounds for this which are:-
- When Firefox Starts: Show my homepage
- About:config - browser.sessionstore.privacy_level (user set 2)
I would appreciate a response regarding this as i see this as a major issue, and would like someone to acknowledge the problem.
Kind regards J Booth
Tuilleadh mionsonraí faoin chóras
- The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
- Shockwave Flash 16.0 r0
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
This isn't a major security issue. To address your problem of Public computers: Many of them are set up with a security program that wipes and re-installs the profile everytime someone is done using them. You should also never leave something logged in on a public computer as a matter of course.
If you don't want Firefox doing this on your private computer, you can set Firefox to not leave you logged into sites, but this isn't a security issue.
Úinéir na ceiste
Your response naively assumes that everybody has the same computer knowledge as you and we live in a perfect world where everybody logouts out and wipes profile information after every use.
I afraid the real world isn't like that and the average user will be totally unaware of this problem, so yes 'This is a major security issue'.
I have to say that a pretty appalling response, can i ask whether you work for Mozilla please ?
The "When Firefox starts: [Show my windows and tabs from last time \/]" has existed since at least Firefox 2.0 so it is not a new feature.
Úinéir na ceiste
Yes i understand it's not a new feature, however with exactly the same settings in firefox 35 when i closed down the browser i needed to login to my bank again using all the login passwords etc.
Now in firefox 36 i can even close down firefox and restart my machine and find i'm still logged into my bank account to do everything as normal.
If you can't see a problem with that then i'm obviously using the wrong browser !
I know that not everyone has significant computer knowledge to know this, but the people setting up public computers do. This isn't a new feature either, this is something that Firefox has done for a long time. It's been recently expanded to save passwords better on sites like banks but isn't still nothing new. You can easily disable this on your home computer if it's a problem (Password Manager - Remember, delete and edit logins and passwords in Firefox).
I fail to see what you want us to do other than remove a feature that has existed for a long time with no problems. You are literally the only complaint we've ever seen about this, it seems that most the world is able to understand this feature pretty well and to not trust public computers.
And yes I work for Mozilla.
Úinéir na ceiste
To me it's pretty obvious that if i have selected 'clear cookies when i close firefox' then it should do that even if i have 'Show my window and tabs from last time' selected.
No matter what preferences i have for the cookies, they are kept alive under this setting totally ignoring my preferences.
I'm not trying to be awkward - but this issue has only just arisen using Firefox 36, so something must have been changed.
But if you don't see this as an issue then there's no way i can change your opinion, so i will raise the issue else where.
The login information isn't saved in a cookie, it's saved in Firefox's password manager.
Úinéir na ceiste
Yes i know that, but surely you need to have an active cookie session when you login, which is not being timed out / removed when firefox is closed.
Details like websites remembering you (log you in automatically) are stored in a cookie.
- Create a cookie 'allow' exception to keep such cookies, especially in case of secure websites and when cookies expire when Firefox is closed.
- Tools > Options > Privacy > "Use custom settings for history" > Cookies: Exceptions
Firefox stores by default the cookies from tabs that you leave open when you close Firefox. So you should always log off before closing Firefox and possibly use private browsing to avoid storing sensitive data like cookies from your bank site to your Firefox profile folder.
The browser.sessionstore.privacy_level can prevent Firefox from storing the cookies as part of session data in the sessionstore.js file.
You can set the browser.sessionstore.privacy_level pref to 2 (never) or 1 (non-HTTPS) on the about:config page to disable saving cookies via session restore in the sessionstore.js file. The browser.sessionstore.privacy_level_deferred pref is used when you do not reopen the previous session automatically via "Show my windows and tabs from last time" and uses the same values.
Úinéir na ceiste
Anyway, it's obvious to me i'm wasting my time and you're not actually listening to any of the issues - it's a bit annoying cause i love firefox and always recommend to everybody, but i guess time will tell regarding the issues raised.
All the best :)
In Firefox you can easily use Clear Recent History to clear cookies and other personal data. Doing that is always good practice and should always be done when you are on a computer that is not your own. It is your own responsibility to assure this.
Athraithe ag cor-el ar
I understand it's the users responsibility and clearing history etc should be done after banking.
However, i will say it again - It's not a perfect world, some users may have learning disabilities or a bit slow in some respects or maybe totally new to computing like older folk.
And in those basic examples there should be a 'fail safe' to cover them or at least have prompts / warning to help them see this potential security flaw.
And if you just say well they shouldn't be using a computer, i would reply yes in a perfect world they wouldn't !
A 'Fail Safe' is needed !
A fail safe would render the browser unusable. It's impossible for Firefox to tell if you are using it on a public or private computer, most users are on private computers, and most public computers are configured to ensure this would never be a problem. You are creating a problem that doesn't exist in the real world
This forum exists to help a user solve specific problems that they are experiencing with Firefox.
If you feel that this is a major security issue the place to make your concerns heard is here - https://input.mozilla.org/en-US/feedback That process allows you to provide a contact email address for receiving a response from Mozilla, but that doesn't guarantee that you will receive a response in a timely manner or at all.
The session restore feature is somewhat complicated. The retention of session cookies varies based on your settings (start on home page vs. restore windows and tabs) and the circumstances of how Firefox was shut down (normal shutdown vs. crash). The default settings are biased toward letting users resume work most easily after a crash or restart, and at least from a support perspective, that seems to be what most users expect and prefer based on comments here on the forum.
Among those that express concern, the top issue is someone with access to Firefox getting into their email, since sessions on financial sites usually time out fairly quickly.
It would be nice to have a built-in "security consultant" feature for users who want to tweak their security settings. It seems unlikely that it would be a built-in feature in the near future unless someone with time on their hands steps up and builds it (and helps with the challenge of translating it into all of the languages supported by Firefox...). An add-on might be a more practical stopgap measure.
Athraithe ag jscher2000 ar
There is Private Browsing mode in Firefox and some incognito mode in other browsers for such a case and you should make use of it whenever you are in a situation that requires this.