Firefox security issue?

Slinwagh · 10 Aug 2007 at 11:14

I was just logged in and viewing my credit card account as I would do any other day of the week.

Any way while i was viewing the details the Logitech G15 keyboard application crashed so I restarted the PC.

I logged in and clicked on the Firefox icon and was prompted as to whether I wanted to restart the session, i selected yes.

Now to my surprise several tabs opened including the page detailing my credit card account, I was logged in and had full access.

Surely this shouldn't happen as any PC logged in using a shared user account would be vulnerable to this exploit wouldn't it?

Moredhel · 10 Aug 2007 at 11:16

On a shared PC you'd turn the session recovery off, surely?

Glaucus · 10 Aug 2007 at 11:17

No that shouldn't happen. However that sounds more like your card company using rubbish cookies and a sever lack of security rather than firefoxs own security.

Slinwagh · 10 Aug 2007 at 11:20

AcidHell2 said:
No that shouldn't happen. However that sounds more like your card company using rubbish cookies and a sever lack of security rather than firefoxs own security.

Thinking about it I have restored sessions in the past when I have been logged into my HSBC accounts and i don't ever remember it happening but i will test now.

The credit card was capital one by the way.

Zogger · 10 Aug 2007 at 13:06

Given that you only did a reebot that's probably not as bad as it sounds. It will of course only work for a few minutes assuming the bank is sensible and has a timeout on your session. Given that there is no differentiation on the server between a normal request and one that's been restored there's not much they can do about it.

edit: surprised to realise this threead was a few hours old

Dave M · 10 Aug 2007 at 13:17

AcidHell2 said:
No that shouldn't happen. However that sounds more like your card company using rubbish cookies and a sever lack of security rather than firefoxs own security.

Not at all, they give you a session cookie which firefox is able to preserve even after it's closed, this could be taken as insecure as you should expect session cookies to be destroyed when the browser is closed, it's a feature but I would prefer if it was off by default.

The website is doing absolutely nothing wrong, the session was still valid when he restarted and firefox restored the session cookie - the website has absolutely no way of knowing that he has restarted and restored his session, it's exactly the same as somebody reading his statement online, checking a few receipts then clicking 'next' 5 minutes later.

If the session expired after 30 seconds it would be no more secure but completely impossible to use.

Surely this shouldn't happen as any PC logged in using a shared user account would be vulnerable to this exploit wouldn't it?

Yes, until the session expired (30 minutes at most), thats why your told to log out when you have finished.

marc2003 · 10 Aug 2007 at 13:21

as always, there are extensions to turn this off or tweak settings to your preference. i use tab mix plus but there are many others. by default the extension i use does preserve POST data/cookies but only on normal sites (not https://) so in your case, the session would not have been restored.

Glaucus · 10 Aug 2007 at 16:02

Telescopi said:
Not at all, they give you a session cookie which firefox is able to preserve even after it's closed, this could be taken as insecure as you should expect session cookies to be destroyed when the browser is closed, it's a feature but I would prefer if it was off by default.
.

It's still pretty lax for a bank to be using cookies like that. But I agree it would be better if it was turned of by default. Or at least if it doesn't restore https pages.

Slinwagh · 10 Aug 2007 at 16:28

Is this actaully worth reporting to Capital One ?

Glaucus · 10 Aug 2007 at 16:34

Slinwagh said:
Is this actaully worth reporting to Capital One ?

I would, but they'll probably wont do anything and say it's perfectly secure, which it kind of is. It would mean re-writing a part of there site to correct it.
There response will be something like, make sure you log out on communal computers.

marc2003 · 10 Aug 2007 at 17:00

AcidHell2 said:
I would, but they'll probably wont do anything and say it's perfectly secure, which it kind of is. It would mean re-writing a part of there site to correct it.
There response will be something like, make sure you log out on communal computers.

there's nothing they can do. it's all down to how firefox works. my website has a login area which doesn't set cookies. it uses php sessions and firefox even caches that and will log me back in if it closes unexpectedly. basically firefox is fooling the server by taking a snapshot in time to make it transparent to the end user what is going on. well that's how i see it, i'm no expert....

Glaucus · 10 Aug 2007 at 17:06

marc2003 said:
there's nothing they can do. it's all down to how firefox works. my website has a login area which doesn't set cookies. it uses php sessions and firefox even caches that and will log me back in if it closes unexpectedly. basically firefox is fooling the server by taking a snapshot in time to make it transparent to the end user what is going on. well that's how i see it, i'm no expert....

check out hsbc it wont let firefox back in. If coded to a high security firefox can't let you back in. Regardless of what it saves.

marc2003 · 10 Aug 2007 at 17:10

hehe. good job i put my disclaimer on the end then....

you're right, i just tested with my hsbc account and it does what it should.