lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 13 Apr 2006 16:16:08 -0000
From: franz@...mail.com
To: bugtraq@...urityfocus.com
Subject: Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History
 Disclosure


Firefox Password Manager Arbtirary User Browsing History Disclosure

Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1)
Gecko/20060111 Firefox/1.5.0.1

This privacy flaw has caused my fiancé and I to break-up after having dated for
5 years.

Basically, we share one computer but under separate Windows XP user accounts.
We both use Mozilla Firefox -- well, he used to use it more than I do but now
we don't really use it. The privacy flaw is this: when he went to log-in under
his dating sites (jdate.com, swinglifestyle.com, adultfriendfinder.com, etc.),
Mozilla promptly asks whether or not he'd like Firefox to save the passwords
for him. He chose never, obviously. However, when he logged off his user
account, and I logged onto my Windows XP account X amount of days later, I
decided to use Firefox because hey -- it loaded everything much more
efficiently, was better to work on with website designs and is a lot more
stable than IE7beta2.

Firefox prompted whether or not I'd like it to save my password for logging
into my website. I chose never and changed my mind. I went into the Password
Manager to change the saved password option from Never to Always and that's
when I saw all these other sites that had been selected as "Never Save
Password." Of course, those were sites I had never visited or could ever dream
of visiting.

Then I realized who, how and what... and sh*t hit the fan. Your browser does
not efficiently respect the privacy of different users for one system.

Reproducible: Always

Steps to Reproduce:
1. Create 2 unique user accounts (for steps sake, let's call the two accounts
Joe and Mary) in Windows XP Home.
2. Logout and sign-in under Joe.
3. Open Firefox and go to an e-mail site or to jdate.com or wherever.
4. Attempt to log-in to the site so that Firefox will ask whether or not you
want your password saved.
5. Choose not to save the password.
6. After successfully logging in and having selected the "never save password"
option, logout.
7. Log-in as Mary and open Firefox.
8. Browse, browse, browse... but you don't really have to. Just go to "View
Saved Passwords," click on the tab that will show you sites to never save
passwords for, and you'll see whatever painful site Joe denied to save a
password for.
9. Break-up with fiancé.

Firefox should be respecting every single area of privacy per user on one
system. It's not doing that... I'm going to submit this as Major because not
everyone shares one computer, but it should really be considered Critical.

------- Comment #1 From Jesse Ruderman 2006-03-17 17:40 PDT [reply] -------
I don't know if you still have access to the computer you and your ex-fiancé
shared, but it sounds like Firefox was sharing a profile between the two
Windows XP user accounts. How is that possible -- were both users
administrators or something? Were bookmarks separate?

------- Comment #2 From Jesse Ruderman 2006-03-17 18:13 PDT [reply] -------
Or, as sp3000 points out, maybe he accidentally logged into one of those sites
while you were logged into Windows XP.

------- Comment #3 From stop throttling my inbox 2006-03-21 11:14 PDT [reply] -------
All right, I think it's been figured out.

When we decided to have separate user accounts just a short time ago,
since the computer is mine and the log-in we used to share was mine,
we just ended up creating a separate user account for him. However,
before that, he had installed and uninstalled another version of
Firefox in his own personal directory. The first time this happened,
he was trying to hide this stuff from me by using Firefox and
participating on the sites in there. I found out he had been using
another browser by one time accidentally sneaking up on him in the
middle of the night and he uninstalled it. Later, after we had
separate user accounts, I installed Mozilla because it was great in
testing browser compatibility for websites in progress and it must
have picked up certain things from his previous profile. He swears up
and down he never did it while logged-in to my account and I can't see
him messing up like that. This is the only explanation I can think
of.

Regardless, even if the sites in the "Never Save Password" list were
from weeks ago, the sites show he's been logging in regularly and is
an active member. So whatever... I guess when he uninstalled Firefox
originally, it wasn't a completely clean uninstall. That's the only
explanation since we couldn't duplicate my reported bug as easily as
we thought.

Also, I'm going to put this bug as dependent on that uninstallation of profile
data bug that Jesse Ruderman sent me. It seems new users will risk seeing old
data on a new installation of the browser (after a complete uninstallation had
been done). I can't confirm that by replicating it, but I can just confirm it
from this one time occurance at the moment.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ