Re: [Full-Disclosure] Gmail anomaly

From: Daniel Veditz (dveditz_at_cruzio.com)
Date: 11/19/04

  • Next message: Pavel Kankovsky: "Re: [Full-Disclosure] Time Expiry Alogorithm??" 
    Date: Fri, 19 Nov 2004 09:08:43 -0800

    ifconfig_xl0 wrote:
    > If you open two gmail accounts in two different firebird/fox browsers
    > the first account logged into after a refresh becomes the second
    > acccount. Or if you send an e-mail with the second account, it may
    > send as the first and refresh back as account1.
    >
    > So if you login with GmailAccount1 and then open another browser and
    > log into GA2, go back to GA1 browser and hit refresh, GA1 will be in
    > the mailbox of GA2.
    >
    > This obviously is not a security risk because the mailbox was already
    > logged into, but I still thought it was a weird thing to do. It doesnt
    > act that way with internet exploder though so it must be something
    > with Firefox ...

    In Firefox there is only ever one instance of the executable, and all
    windows share session cookies (and http auth, which has similar differences
    between IE and Firefox).

    You get the same behavior from IE if you open new windows from existing
    browser windows (crucial for web apps to work). You get a new process that
    does not share session information if you launch a new window from the OS
    (Desktop link, start menu, command-line, etc).

    In practice the difference doesn't matter to the average user, but there are
    lots of Bugzilla duplicates filed by power users asking Mozilla to mimic the
    IE behavior.

    It becomes a minor security problem in conjunction with sites that assume
    the IE behavior and which lazily instruct the user to "close the browser
    window" to completely log out rather than reset the session info from the
    server side. This is insufficient even for IE if the user opens multiple
    windows using Ctrl+N or the File|New menu item.

    -Dan Veditz

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Pavel Kankovsky: "Re: [Full-Disclosure] Time Expiry Alogorithm??"

    Relevant Pages

    • Re: Windows xp to windows 2000
      ... If the problem happened after re installing Windows XP, ... Is your Windows XP Home or Pro? ... common non-Guest account. ... Make sure the browser service is running on one computer. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Whyre big corps doing 800px sites nowadays
      ... If a site opens to full screen or changes my browser windows size, then I don't return to that ... separate set of pages for IE. Developers that like the IE browser, ... we may use multiple windows but my ... > including those pushing their big screens are 800's. ...
      (microsoft.public.frontpage.client)
    • Re: Sweet Marias web site
      ... many of their links it opens a new browser. ... including IE7 and FF2 on windows as well as Safari and Camino on Mac OS X ... If it does for you on IE7 then either you have your pop-up settings too ...
      (alt.coffee)
    • Re: Sweet Marias web site
      ... many of their links it opens a new browser. ... including IE7 and FF2 on windows as well as Safari and Camino on Mac OS X ... If it does for you on IE7 then either you have your pop-up settings too ...
      (alt.coffee)
    • Re: How to reinstall Internet Explorer 6
      ... >>>A web browser wouldn't normally open tif files. ... but I can actually open a tif file from the browser by doing ... > I can "open" a tif file from IE's file menu BUT the image opens in my ... I recall that the process included Windows registry editing. ...
      (microsoft.public.windowsxp.basics)