Ubuntu
firefox-3.0 package

firefox 3.0.1 can access my email after reboot without challenge, even though i asked it not to save passwords

Bug #261553 reported by djineric
256
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox-3.0

this behaviour changed in yesterday's bundle of patches on ubunto 8.04 and firefox 3.0.1.

after the reboot, i started firefox and selected 'restore previous session'. it opened both my gmail and my msn mail, and a protected page on a third website, without challenging me for a password, even though i never have firefox save my passwords.

previously to this update, after a system restart, i always got a password challenge when i selected 'restore previous session' from firefox, and it is the expected behaviour.

ProblemType: Bug
Architecture: i386
Date: Tue Aug 26 13:36:34 2008
DistroRelease: Ubuntu 8.04
Package: firefox-3.0 3.0.1+build1+nobinonly-0ubuntu0.8.04.3
PackageArchitecture: i386
ProcEnviron:
 PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: firefox-3.0
Uname: Linux 2.6.24-19-generic i686

Tags: apport-bug
Revision history for this message
djineric (shields-paul) wrote :
Revision history for this message
djineric (shields-paul) wrote :

This becomes a serious thing to think about w.r.t single points of failure.

Scenario: Subject has M minutes of battery backup, in case of power failure.

One morning, Subject arrives at the office, and finds: that a tamper-evident seal on his office door was tampered. Investigating, he discovers that his workstation had restarted. He notifies the security admin of the irregularity, who tells him that there was a powerfail at some point in the night, because of a thunderstorm, and the power was off for M+K minutes. Security admin also says that Subject probably forgot to set the tamper-evident seal on his door as he left, the previous night, and that according to the access logs, only authorized people were in the building.

M+K could have been enough time to unplug and clone a hard drive. Should he be paranoid, that persistent information could have been copied, and later used to access presumed-secure offsite resources?

Revision history for this message
djineric (shields-paul) wrote :

this is also a problem on firefox 2.0.0.16 on windows

Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering is this still an issue for you? Could you try to reproduce the same with Ubuntu 8.10 or 9.04? Thanks in advance.

Changed in firefox-3.0:
status: New → Incomplete
Revision history for this message
Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

Changed in firefox-3.0 (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.