Re: Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History Disclosure
> I guess when he uninstalled Firefox
> originally, it wasn't a completely clean uninstall. That's the only
> explanation since we couldn't duplicate my reported bug as easily as
> we thought.
I think that what this comes down to is that when you uninstall
Firefox (or Mozilla), it doesn't prompt you with the option to remove
all user data. That would eliminate the privacy concern, wouldn't it?
To play the devil's advocate, is this a privacy problem at all? Joe
installs software as Mary, creates user data, and uninstalls the
software. Mary then installs compatible software which reads the old
user data. So Mary knows about what was done under her user
account--is that bad? Joe should have no expectation that Mary will
not find out about what he does when logged on as her. Arguably,
Mary's ability to know what her own user account has been used to do
constitutes command of her own information and is a boon to Mary's
privacy.
On the one hand, software should preserve the privacy of all users,
even dumb ones. On the other hand, if you're not going to use multiple
user accounts, you can hardly expect to enjoy the benefits of
privilege separation.
-Eliah