Posted on 04/17/2006 5:58:28 AM PDT by antiRepublicrat
Something nobody thought of: Sure, Mozilla deletes various sensitive information at the click of a button, but where you've been browsing is hidden elsewhere in a useful feature. Here's the bug:
-------------------------------------
This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.
Basically, we share one computer but under separate Windows XP user accounts. We both use Mozilla Firefox -- well, he used to use it more than I do but now we don't really use it. The privacy flaw is this: when he went to log-in under his dating sites (jdate.com, swinglifestyle.com, adultfriendfinder.com, etc.), Mozilla promptly asks whether or not he'd like Firefox to save the passwords for him. He chose never, obviously. However, when he logged off his user account, and I logged onto my Windows XP account X amount of days later, I decided to use Firefox because hey -- it loaded everything much more efficiently, was better to work on with website designs and is a lot more stable than IE7beta2.
Firefox prompted whether or not I'd like it to save my password for logging into my website. I chose never and changed my mind. I went into the Password Manager to change the saved password option from Never to Always and that's when I saw all these other sites that had been selected as "Never Save Password." Of course, those were sites I had never visited or could ever dream of visiting.
Then I realized who, how and what... and sh*t hit the fan. Your browser does not efficiently respect the privacy of different users for one system.
Reproducible: Always
(Excerpt) Read more at bugzilla.mozilla.org ...
"This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years."
And, who is your lawyer in the suit vs. Firefox over your romance issues?
Bubba has his law license now. Give him a call.
Yes, but deleting them isn't part of Firefox's "Clear Private Data" command, plus deleting them keeps Firefox asking you if you want to remember passwords.
I'm going to have to check on where it stores those. They should be in the person's profile, so it's strange the other user gets to see them.
Did your ex-boyfriend enjoy "Brokeback Mountain.?"
My run in with the "old profile" flaw caused mysterious crashes in upgrades to Firefox. The old profiles can have data in them which newer versions of Firefox can't handle.
Initially I thought Firefox was crashing because I was running it on WinXP 64-bit but then I had the problem on a couple XP 32-bit machines. I did a couple uninstalls and deleted the Program Files directory of Firefox before I found the Mozilla profile folder in Application Data.
Manually deleting the profile folder before an upgrade to Firefox fixes the problem.
Eventually, someone is going to flag the bug and fix it - probably with a "Delete Detected Profiles" option in the installer.
Don't write it down if you don't want it published. Don't throw rocks when you live in a glass house. A man and his perversions are soon outed. Those rules have applied since cave drawings. Seems like good solid advice.
A little more light under the rocks please. Then we can really evaluate the quality of those news sources.
Fixed it.
Actually, it is stored in the user's profile. If you look down through the comments, you see that the original reporter installed FF on a single-user machine, so it created a single profile in a globally accessible location. Then, afterwards, the user created separate login accounts for Windows. Except that they didn't create separate FF profiles, so naturally FF continued using the only profile it knew about. The moral is, if you convert from a single-user machine to one with multiple accounts, either manually create separate browser profiles, or uninstall and reinstall to allow them to be created automatically. This is probably not a common situation, and I'm not sure it's really fair to describe it as a legitimate browser bug - the browser did exactly what they originally told it to do, in using a single profile, and then they apparently wanted it to read their minds and psychically know that it was time to start using multiple profiles.
Or, maybe the moral is, stick to free porn sites that don't require a login :)
LOL!
The bottom-line.
From the comments:
------- Comment #16 From majken@gmail.com 2006-03-22 19:30 PDT [reply] -------Mossop - as per comment #3 what *actually* happened was that he installed firefox *before* they were using seperate windows profiles, so what really happened is this.
1. They're still using the same windows profile,
2. He installs firefox in his director on her computer in her profile i.e. he installs it to c:\fiance\Mozilla Firefox\ instead of to c:\Program Files\Mozilla Firefox
3. He uninstalls firefox after she sees him using it
4. They create him his own Windows profile, she keeps using the one they were sharing
5. She installs firefox in a different directory than he did (eg c:/Program Files/Mozilla Firefox/)
6. As expected, firefox detects the already existing profile on her windows account.
Your biggest mistake occurred when you wrote the above sentence. Anyone who paid the least bit of attention in grade school would know that the correct grammatical form is "...caused my fiancé and me to break up."
The verb here is "caused" and "my fiancé and me" are objects of the verb. The correct form for I/me when used as the object of a verb is obviously "me."
You would automatically say, "Caused me to break up...." Just because there are now two objects (or, if you prefer, a compound object), there is no reason to switch from the object form ("me") to the subject form ("I.")
Download Adaware free and run a scan, it will kill that scumsucking parasite.
I guess she owes Firefox a letter of thanks...
Examples:
We split up.
My fiancé and I split up.
A homewrecker split us apart.
A homewrecker split my fiancé and me apart.
Makes me think ... "Mozilla doesn't kill relationships....people do".
I think this boils down to:
It's not obvious that you can protect your saved/not saved passwords with another password. Users have to go to the config, and many never do that.
Firefox's horrible user profile management. Firefox should give an option to delete profiles when removing the program, and on install should either show existing profiles and give the option to use them, or have them show in the profile manager (which should have a start menu item, not need to by typed in with Start:Run) Basically, Firefox's installer/uninstaller need some fixing. Also, the first time a user uses the saved password feature, he needs to be told how to secure the information with a password.
Otherwise, I would consider this to be a privacy bug.
One user should not have access to the preferences of another.
This could also be facilitated by an XP permissions failure.
I know that on Linux systems, the situation described is not possible because you don't have read access to the /home/$user/.mozilla directory.
Perhaps a change in operating systems is in order. ;-)
As administrator, you have access to any file.
That doesn't explain why FF is pulling up user settings for another user. As I stated earlier on the thread, this doesn't happen on Unix/Linux systems because of where the data is stored.
This situation is roughly akin to logging in as someone else, and then being surprised that you're able to read the stuff in that user's "My Documents" folder. Would we blame Word for a privacy breach if her boyfriend left a bunch of incriminating .doc files in their shared profile, and then she was able to open them and read them?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.