|
-
June 21st, 2005, 03:35 AM
#1
Possible Firefox vuln ?
Ok, Not sure if I am the first to see this (a quick google turned nothing up), but it is kind of apparent. I recently noticed a firefox vuln that deals with firefox's cookie handling, more specifically, single session cookie handling.
This is what happened:
1: went to hotmail with firefox with browser window #1, signed in, and checked my mail
2: opened some other site (say antionline.com) in browser window #2 (not tab mind you)
3: closed browser #1
4: went to hotmail.com in browser #2 to compose new Email and was automatically logged in. No password or anything.
this is my setup:
1: remember my user name (hotmail).
2: Windows XP with firefox: 1.0.4 revision: 1.7.8 (which I think is the most up-to-date)
3: In recreating this, I deleted all my cookies and offline content. Everything.
I tried to recreate this in IE, but to no avail. I think that this could be an issue. I mean some user logs in, then opens another window, closes the first and steps away from their desk. Anyone walking by could check their email just by going to hotmail.
Anyone care to help me out with this? Check your gmail or whatever web based email you have abd tell me what is going on here. I haven't looked at firefox's source yet, but I am going to study this (in several different enviroments).
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
-
June 21st, 2005, 04:11 AM
#2
Hi, dmorgan,
Yeah, I've noticed that, too.
Try this (if you have a Yahoo account):
- sign-in in the general browse environment (such that you simply click mail and off you go to your email account).
- roam around the other websites, including AO
When you return to the Yahoo environment, you're still signed in. In the same vein, launch another browser window (as you've done with Hotmail). Go again to the Yahoo environment and you'll see that you are signed-in to that account, too.
I don't consider it as an inconvenience, though, but quite the contrary. Probably because I do my computing at home, I find it easier not to log-in again.
But yes, I agree with you: it appears to be the cookie-handling method of Firefox. If I were in a public cybercafe with a Mozilla Firefox browser, the best precaution is to do the following before standing up:
1. Clear all stored information (cookies, history and all) using Tools -> Options ... just to make sure that the trails created during the session are removed; and
2. Close the Firefox browser (can't disconnect from the LAN set-up, though).
If there was a keylogger installed in that cybercafe, well... that's another issue by itself.
Cheers!
-Goitz
Si vis pacem, para bellum!
-
June 21st, 2005, 05:32 AM
#3
I noticed it all starts from the same process, yet new tasks, but when I look at the threads, it changes at first, then goes back to what it was at. I am thinking that firefox stores its single session cookies in temp memory (heap), then when additional browsers try to go to a particular website, it reads that data and uses it as if it were the original task. Then, if you unload the original, since the second one is still up, the heap doesn't go away.
I am so confused (read: kinda drunk and still trying to figure this out), but that is what I am thinking goes on.
/* edit, I do all my stuff from home, too, so it won't affect me so much, but if someone who didn't know about this was at a cyber-cafe, and left 1 window open...
I think it needs a patch, I mean it is convienent, but it should stick to 1 browser instance, not all.
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
-
June 21st, 2005, 07:57 AM
#4
I agree, it will need a patch.
But then again, the onus of security responsibility is on the user. The precautions to safe computing will make this Firefox issue just a part of it all. When one forgets to sign-out of Yahoo!Messenger in a public computer, he/she makes himself vulnerable to unauthorized email access by others whenever a new message arrives. The same holds true with this "cookie" issue with firefox.
Let's just hope this will be part of the heads-up to unsuspecting users.
And maybe we continue this thread toward the subject of "erasing trails" from online activities to downloads to deleting files and folders without sending them to the Recycle Bin. TIP: Use "del" and "rd" from the Command prompt (this is for those who are not familiar with MS/PCDOS commands). Note that "deltree" for removing a whole folder does not work in Windows XP.
Si vis pacem, para bellum!
-
June 21st, 2005, 09:00 AM
#5
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 21st, 2005, 11:23 AM
#6
To keep connection alive even if browser window was closed can be good in some cases.
But if you do not want it....
Look in:
Options>privace>cookies
check "Allow sites to set cookies"
chose in "Keep Cookies:" [until I close Firefox]
// too far away outside of limit
-
June 21st, 2005, 06:42 PM
#7
In my experience, since i'm a heavy tabs user in firefox, if you log in to your yahoo account in the second tab, til you log out, you can always access it in the same tab, but if you open up a new tab or a new window, it will make you log in again. Thats just what i remember from memory, i could be completely wrong, however, IE doesn't care what window you were working with, if you logged in, your logged in til you timeout or logout.
-
June 21st, 2005, 07:06 PM
#8
When you close down firefox entirely it will forget any temporary cookies. Tabs are the same way, for example you can login to gmail in one tab, and you wont need to login in any of the other tabs.
IE doesn't work that way though, even when both windows are open (you can read 2 gmail accts. at once) IE is a seperate process for each window, Firefox is 1 process for everything. To kill the process, you have to close all the windows.
I wouldn't say this is serious enough for an immediate patch, but maybe a bug fix for any new releases.
http://www.mozilla.org/support/firefox/bugs
-
June 22nd, 2005, 01:09 AM
#9
hmmmm if you were in a cyber cafe or such and were worried about keyloggers could you not type the whole alphabet (upper/lowercase), numbers and special characters into a txt document and then copy/paste them into the password field as required - hehe a bit of overkill but would be a successful way of stopping keyloggers form snagging your password would it not?
-
June 22nd, 2005, 06:55 AM
#10
Hi, val
Perhaps. But it will still be recorded by the keylogger, right? Of, course, if the user first decides to create a random text in poaragraph form, the tendency of the reader is to ignore the typed paragraph.
Besides when you copy-paste the password, it will not be that **** but plain text, which is rather more vulnerable to eyes behind the shoulder. I could almost imagine someone smirking with glee with that.
On the other side, there are those who have fast eyes. I've heard of several kids, including my son, whose online game accounts were tampered just because they were in a public LAN and someone managed to "glance around" as they were logging in into their accounts. The next time they tried to log in, their "treasures" were looted. Pretty nifty, those account stealers.
Oh, well... in the vulnerability aspects, it is always the user who is responsible, I dare say.
Si vis pacem, para bellum!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote