Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Firefox privacy but lets others see where you've been visiting [my title]
Mozilla.org ^ | 2006-03-17 | anonymous

Posted on 04/17/2006 5:58:28 AM PDT by antiRepublicrat

Something nobody thought of: Sure, Mozilla deletes various sensitive information at the click of a button, but where you've been browsing is hidden elsewhere in a useful feature. Here's the bug:

-------------------------------------

This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

Basically, we share one computer but under separate Windows XP user accounts. We both use Mozilla Firefox -- well, he used to use it more than I do but now we don't really use it. The privacy flaw is this: when he went to log-in under his dating sites (jdate.com, swinglifestyle.com, adultfriendfinder.com, etc.), Mozilla promptly asks whether or not he'd like Firefox to save the passwords for him. He chose never, obviously. However, when he logged off his user account, and I logged onto my Windows XP account X amount of days later, I decided to use Firefox because hey -- it loaded everything much more efficiently, was better to work on with website designs and is a lot more stable than IE7beta2.

Firefox prompted whether or not I'd like it to save my password for logging into my website. I chose never and changed my mind. I went into the Password Manager to change the saved password option from Never to Always and that's when I saw all these other sites that had been selected as "Never Save Password." Of course, those were sites I had never visited or could ever dream of visiting.

Then I realized who, how and what... and sh*t hit the fan. Your browser does not efficiently respect the privacy of different users for one system.

Reproducible: Always

(Excerpt) Read more at bugzilla.mozilla.org ...


TOPICS: Computers/Internet
KEYWORDS: browser; firefox; passwords; privacy
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-85 next last
To: TommyDale

"This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years."

And, who is your lawyer in the suit vs. Firefox over your romance issues?

Bubba has his law license now. Give him a call.


21 posted on 04/17/2006 6:30:57 AM PDT by KeyLargo
[ Post Reply | Private Reply | To 4 | View Replies]

To: antiRepublicrat
Image Hosted by ImageShack.us
22 posted on 04/17/2006 6:31:07 AM PDT by Rakkasan1 (they love you in Mexico until you pay in pesos.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: facedown
You can simply delete them.

Yes, but deleting them isn't part of Firefox's "Clear Private Data" command, plus deleting them keeps Firefox asking you if you want to remember passwords.

I'm going to have to check on where it stores those. They should be in the person's profile, so it's strange the other user gets to see them.

23 posted on 04/17/2006 6:31:50 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 18 | View Replies]

To: mkjessup

Did your ex-boyfriend enjoy "Brokeback Mountain.?"


24 posted on 04/17/2006 6:32:50 AM PDT by KeyLargo
[ Post Reply | Private Reply | To 15 | View Replies]

To: Panerai
It's not "dumb".   It's another incarnation of the "old profile" flaw:  this person discovered it affects "privacy".   (Although to be honest, I don't believe the story from the bug reporter.)

My run in with the "old profile" flaw caused mysterious crashes in upgrades to Firefox.  The old profiles can have data in them which newer versions of Firefox can't handle.

Initially I thought Firefox was crashing because I was running it on WinXP 64-bit but then I had the problem on a couple XP 32-bit machines.  I did a couple uninstalls and deleted the Program Files directory of Firefox before I found the Mozilla profile folder in Application Data.

Manually deleting the profile folder before an upgrade to Firefox fixes the problem.

Eventually, someone is going to flag the bug and fix it - probably with a "Delete Detected Profiles" option in the installer.

 

25 posted on 04/17/2006 6:33:30 AM PDT by Psycho_Bunny (The MSM is a hate group and we are the object of their disdain.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: antiRepublicrat

Don't write it down if you don't want it published. Don't throw rocks when you live in a glass house. A man and his perversions are soon outed. Those rules have applied since cave drawings. Seems like good solid advice.

A little more light under the rocks please. Then we can really evaluate the quality of those news sources.


26 posted on 04/17/2006 6:33:39 AM PDT by Steamburg (Pretenders everywhere)
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
"This privacy flaw My general stupidity, along with searching for a new "Ho" on a shared computer have caused my fiancé and I to break-up after having dated for 5 years."

Fixed it.

27 posted on 04/17/2006 6:34:09 AM PDT by Recovering Hermit (A hermit is a deserter from the army of humanity.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: contemplator
This is the sort of thing, which if it must be tracked, should be stored in the users profile itself, not in the settings for the software.

Actually, it is stored in the user's profile. If you look down through the comments, you see that the original reporter installed FF on a single-user machine, so it created a single profile in a globally accessible location. Then, afterwards, the user created separate login accounts for Windows. Except that they didn't create separate FF profiles, so naturally FF continued using the only profile it knew about. The moral is, if you convert from a single-user machine to one with multiple accounts, either manually create separate browser profiles, or uninstall and reinstall to allow them to be created automatically. This is probably not a common situation, and I'm not sure it's really fair to describe it as a legitimate browser bug - the browser did exactly what they originally told it to do, in using a single profile, and then they apparently wanted it to read their minds and psychically know that it was time to start using multiple profiles.

Or, maybe the moral is, stick to free porn sites that don't require a login :)

28 posted on 04/17/2006 6:37:16 AM PDT by Senator Bedfellow
[ Post Reply | Private Reply | To 7 | View Replies]

To: AntiGuv
As someone posted there, the solution is clear: Never share your computer with your girlfriend. ;^)

LOL!

The bottom-line.

29 posted on 04/17/2006 6:39:19 AM PDT by Recovering Hermit (A hermit is a deserter from the army of humanity.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: antiRepublicrat
They should be in the person's profile, so it's strange the other user gets to see them.

From the comments:

------- Comment #16 From majken@gmail.com 2006-03-22 19:30 PDT [reply] -------

Mossop - as per comment #3 what *actually* happened was that he installed firefox *before* they were using seperate windows profiles, so what really happened is this.

1. They're still using the same windows profile,

2. He installs firefox in his director on her computer in her profile i.e. he installs it to c:\fiance\Mozilla Firefox\ instead of to c:\Program Files\Mozilla Firefox

3. He uninstalls firefox after she sees him using it

4. They create him his own Windows profile, she keeps using the one they were sharing

5. She installs firefox in a different directory than he did (eg c:/Program Files/Mozilla Firefox/)

6. As expected, firefox detects the already existing profile on her windows account.


30 posted on 04/17/2006 6:41:16 AM PDT by Senator Bedfellow
[ Post Reply | Private Reply | To 23 | View Replies]

To: antiRepublicrat
This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

Your biggest mistake occurred when you wrote the above sentence. Anyone who paid the least bit of attention in grade school would know that the correct grammatical form is "...caused my fiancé and me to break up."

The verb here is "caused" and "my fiancé and me" are objects of the verb. The correct form for I/me when used as the object of a verb is obviously "me."

You would automatically say, "Caused me to break up...." Just because there are now two objects (or, if you prefer, a compound object), there is no reason to switch from the object form ("me") to the subject form ("I.")

31 posted on 04/17/2006 6:48:28 AM PDT by TruthShallSetYouFree (Abortion is to family planning what bankruptcy is to financial planning.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: jdm
porn shows up for no reason on my computer

Download Adaware free and run a scan, it will kill that scumsucking parasite.

Lavasoft Ad-aware

32 posted on 04/17/2006 7:10:13 AM PDT by American in Israel (A wise man's heart directs him to the right, but the foolish mans heart directs him toward the left.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: antiRepublicrat

I guess she owes Firefox a letter of thanks...


33 posted on 04/17/2006 7:12:13 AM PDT by American in Israel (A wise man's heart directs him to the right, but the foolish mans heart directs him toward the left.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TruthShallSetYouFree
The rule is simple: If "we" would be substituted then it's "fiancé and I"; if "us" would be substituted then it's "fiancé and me"..

Examples:

We split up.
My fiancé and I split up.

A homewrecker split us apart.
A homewrecker split my fiancé and me apart.

34 posted on 04/17/2006 7:14:38 AM PDT by AntiGuv (The 1967 UN Outer Space Treaty is bad for America and bad for humanity - DUMP IT!)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Dark Skies

Makes me think ... "Mozilla doesn't kill relationships....people do".


35 posted on 04/17/2006 7:24:11 AM PDT by Walkingfeather (u)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Senator Bedfellow
From the comments:

I think this boils down to:

It's not obvious that you can protect your saved/not saved passwords with another password. Users have to go to the config, and many never do that.

Firefox's horrible user profile management. Firefox should give an option to delete profiles when removing the program, and on install should either show existing profiles and give the option to use them, or have them show in the profile manager (which should have a start menu item, not need to by typed in with Start:Run) Basically, Firefox's installer/uninstaller need some fixing. Also, the first time a user uses the saved password feature, he needs to be told how to secure the information with a password.

36 posted on 04/17/2006 7:25:18 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 30 | View Replies]

Comment #37 Removed by Moderator

To: antiRepublicrat
I'm not positive, but I believe that if you set a "master password", you shouldn't be able to view the information as reported.

Otherwise, I would consider this to be a privacy bug.

One user should not have access to the preferences of another.

This could also be facilitated by an XP permissions failure.

I know that on Linux systems, the situation described is not possible because you don't have read access to the /home/$user/.mozilla directory.

Perhaps a change in operating systems is in order. ;-)

 

38 posted on 04/17/2006 8:02:12 AM PDT by zeugma (Anybody who says XP is more secure than OS X or Linux has been licking toads.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: contemplator
Good point.

As administrator, you have access to any file.

That doesn't explain why FF is pulling up user settings for another user. As I stated earlier on the thread, this doesn't happen on Unix/Linux systems because of where the data is stored. 

39 posted on 04/17/2006 8:06:48 AM PDT by zeugma (Anybody who says XP is more secure than OS X or Linux has been licking toads.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: antiRepublicrat
Well, I agree that the uninstaller should probably offer to remove profiles, but aside from that, it's not really a "privacy" issue to give people access to what is ostensibly their "own" data in their "own" profile. In this case, someone discovered that allowing others to access "your" (boyfriend's) profile gave them access to "your" (boyfriend's) data. Well, okay, but that's not much of a surprise.

This situation is roughly akin to logging in as someone else, and then being surprised that you're able to read the stuff in that user's "My Documents" folder. Would we blame Word for a privacy breach if her boyfriend left a bunch of incriminating .doc files in their shared profile, and then she was able to open them and read them?

40 posted on 04/17/2006 8:17:54 AM PDT by Senator Bedfellow
[ Post Reply | Private Reply | To 36 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-85 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson