The recent Risks digest had an interesting item about a bug in Firefox that ended up causing a woman to discover that her fiancé was visiting dating sites behind her back.

He was pretty diligent about clearing his browsing history and the cache to prevent her from finding out, but this bug gave him away quite by accident.  He had made sure to never allow Firefox to store his password for the dating sites, but it turns out that under the “Saved Passwords” page you can access a list of sites which it will never save passwords for (in response to you pressing the “Never for this site” button).  This turned out to be his undoing, as the list turned out to be shared between user accounts.

At least she has a little bit of a sense of humor about it.  Check out “Step 9” in the “Steps to Reproduce.”

This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years.

Basically, we share one computer but under separate Windows XP user accounts. We both use Mozilla Firefox—well, he used to use it more than I do but now we don’t really use it.  The privacy flaw is this: when he went to log-in under his dating sites (jdate.com, swinglifestyle.com, adultfriendfinder.com, etc.), Mozilla promptly asks whether or not he’d like Firefox to save the passwords for him.  He chose never, obviously.  However, when he logged off his user account, and I logged onto my Windows XP account X amount of days later, I decided to use Firefox because hey—it loaded everything much more
efficiently, was better to work on with website designs and is a lot more stable than IE7beta2.

Firefox prompted whether or not I’d like it to save my password for logging into my website.  I chose never and changed my mind.  I went into the Password Manager to change the saved password option from Never to Always and that’s when I saw all these other sites that had been selected as “Never Save Password.”  Of course, those were sites I had never visited or could ever dream of visiting.

Then I realized who, how and what…  and sh*t hit the fan.  Your browser does not efficiently respect the privacy of different users for one system.

Reproducible: Always

Steps to Reproduce:
1. Create 2 unique user accounts (for steps sake, let’s call the two accounts Joe and Mary) in Windows XP Home.
2. Logout and sign-in under Joe.
3. Open Firefox and go to an e-mail site or to jdate.com or wherever.
4. Attempt to log-in to the site so that Firefox will ask whether or not you want your password saved.
5. Choose not to save the password.
6. After successfully logging in and having selected the “never save password” option, logout.
7. Log-in as Mary and open Firefox.
8. Browse, browse, browse… but you don’t really have to.  Just go to “View Saved Passwords,” click on the tab that will show you sites to never save passwords for, and you’ll see whatever painful site Joe denied to save a password for.
9. Break-up with fiancé.

Firefox should be respecting every single area of privacy per user on one system.  It’s not doing that…  I’m going to submit this as Major because not everyone shares one computer, but it should really be considered Critical.

So, guys, let this be a lesson not to mess around on a tech-savvy woman.  Or at least don’t do it on her computer.