lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <419E289B.60006@cruzio.com>
From: dveditz at cruzio.com (Daniel Veditz)
Subject: Gmail anomaly

ifconfig_xl0 wrote:
> If you open  two gmail accounts in two different firebird/fox browsers
> the first account logged into after a refresh becomes the second
> acccount. Or if you send an e-mail with the second account, it may
> send as the first and refresh back as account1.
> 
> So if you login with GmailAccount1 and then open another browser and
> log into GA2, go back to GA1 browser and hit refresh, GA1 will be in
> the mailbox of GA2.
> 
> This obviously is not a security risk because the mailbox was already
> logged into, but I still thought it was a weird thing to do. It doesnt
> act that way with internet exploder though so it must be something
> with Firefox ...

In Firefox there is only ever one instance of the executable, and all
windows share session cookies (and http auth, which has similar differences
between IE and Firefox).

You get the same behavior from IE if you open new windows from existing
browser windows (crucial for web apps to work). You get a new process that
does not share session information if you launch a new window from the OS
(Desktop link, start menu, command-line, etc).

In practice the difference doesn't matter to the average user, but there are
lots of Bugzilla duplicates filed by power users asking Mozilla to mimic the
IE behavior.

It becomes a minor security problem in conjunction with sites that assume
the IE behavior and which lazily instruct the user to "close the browser
window" to completely log out rather than reset the session info from the
server side. This is insufficient even for IE if the user opens multiple
windows using Ctrl+N or the File|New menu item.

-Dan Veditz


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ