Sign-in security flaw (no password required)
Astonishingly, Firefox Accounts, and everything behind them, do not require any password for sign-in/log-in. That is, I created a PW and logged in once. But no matter how many times I sign out, Mozilla's systems lets me back in with just a user name and no PW required. This utter failure at basic security is quite disturbing.
All Replies (4)
Hi beskeptical, please ignore the spam message promoting an unofficial phone number.
Firefox usually saves your Firefox Account login. If you want to disconnect your Firefox Account between uses, you can use the menu for that.
Please note that locally saved logins are readily accessible when you start Firefox unless you set a Master Password. More info in this article:
Use a Primary Password to protect stored logins and passwords
Hi @jscher2000:
Can you explain what you mean by "use the menu" to to disconnect? There is a drop-down menu in the upper right corner which includes an option for "sign-out." A normal user experience, and the the reasonable expectation, is that selecting this option would do what it says: sign-out. However, it does not, as a practical matter, because signing back in does not require re-enty of a password. This makes Firefox, a supposedly privacy oriented and security conscious group, different from every other website I've ever encountered. Thank you.
Hi following up. This remains an unresolved security flaw -- unless anyone knows a workaround. Thanks.
Did you apply a Master Password? If so, the saved login for your Firefox Account won't be used until you enter it.