Security problem in vivaldi "private navigation"

ericmelvin10

While using private navigation I've access to all credentials in input forms from stored websites...
The private navigation is not private anymore since the browser knows the credentials from every login prompt you visit.

This is a non desired behavior.

Pathduck

@ericmelvin10 I don't see any "security problem". Saved autofill values and credentials are available in private windows, that's perfectly normal.

It would only be a problem if autofill/passwords/history/cookies etc are saved in a private window so it is available in a regular window.

DoctorG

@ericmelvin10 May be misunderstanding.
Private Window means: It does not store any information.
Using autofill in forms from regular use is not storing but retrieving information.

tarquin

Perfect answer @DoctorG
This is how Chromium's private browsing (Incognito) mode is designed to work. It tries not to store anything from private browsing windows, but those windows have access to anything that was already stored in non-private windows.

If you don't want that to happen, you can of course disable saving of things in regular windows, but that is quite limiting. The more convenient method is to open a guest profile (profiles button to the right of the address field), then open a private browsing window there. That means you get the benefits of private browsing mode (no disk cache, etc.), and also it will not have anything that was stored in your main browsing session.

If you are seeing it automatically store something from a private browsing window (other than things like downloads and bookmarks, which intentionally transcend the private boundary), which then becomes available in regular browsing windows, that would be a privacy issue, and please report it to us.

(Separate note; this relates to privacy, not security. It's in the name; private browsing.)

ericmelvin10

@tarquin And this is why people are switching to brave.

For me is a security/privacy issue. (Privacy issues can produce security issues, like accessing with my credentials)

I don't want to "retreive" private information while "private" browsing.
Because of this behavior I can't let someone browse for a moment in my computer, can't put a kiosk mode, can't make a live presentation browsing a webpage without givingaway at least my username in a page...

For me is a no-no.

tarquin

Again, this relates to privacy only, not security. Security is about protecting you from a remote attacker. Preventing them from gaining access to your computer. Preventing them from being able to break your secure connections. Privacy is about hiding things from other trusted users of your computer and browser profile - that is exactly the very definition of what private browsing is designed to do. Privacy is also about hiding limited private details from the websites you are using. So this really does not relate to security, it relates only to privacy. If you need further clarification of what relates to security, please see https://vivaldi.com/security/how-we-rate-security-issues/

Unfortunately, your comment does not clarify exactly what you think is being leaked, where from and where to. If it is retrieving some form field you filled in in a non-private window, and offering form completion in a private browsing window, that is what the Chromium engine is designed to do (and the other browser you mentioned is a Chromium-based browser, so unless they have broken form autocompletion somehow, then it will almost certainly do exactly the same thing). ALL Chromium browsers use the same code for form autocompletion, and for private browsing.

Remember that like all Chromium-based browsers, Vivaldi has a setting to disable form auto-completion. Vivaldi menu - Tools (or main menu on Mac) - Settings - Privacy and Security - Save Webpage Passwords, Save and Fill Payment Methods, Save and Fill Addresses. Or you can open chrome:settings/autofill in a new tab, and disable whatever features you want. This will affect both non-private and private browsing modes.

Also remember that Vivaldi is not handing those details to the website. It offers to let you fill it in, but the website cannot see it until you actually choose to fill it in. It makes your life easier, but it does not leak anything. If you don't choose to use the stored details, then the website sees nothing.

If it is not that, perhaps try explaining exactly what is being filled in, on exactly what website (give the address of the website, so we can see what is happening). Give a series of steps - do this, then do this, then do this - so we can see exactly what to do to reproduce the problem you are experiencing.

"Because of this behavior I can't let someone browse for a moment in my computer, can't put a kiosk mode, can't make a live presentation browsing a webpage without givingaway at least my username in a page"

Yes you can. This is what the Guest profile is designed for. You should not give someone else the use of your browser profile, private or non-private. It sounds like you are using the wrong feature, and wanting it to do something that it is not designed for, rather than using the feature that was actually designed for the purpose you want.

But if you don't trust someone, what on earth are you doing giving them access to your computer account? They can install spyware or malware that takes all of your private information from your computer, or gives them complete remote control over your computer. At worst, give them a guest account on the computer (most operating systems offer this as a feature), but for the best protection, do not give them access to your computer at all! Seriously, this cannot be stressed enough. It is not related to the browser. If you do not trust someone, they should not ever be given access to your computer account. That really is a security risk of the most serious degree, and in that case, the security issue is you, for giving them the access.

Pathduck

@ericmelvin10 said in Security problem in vivaldi "private navigation":

And this is why people are switching to brave.

Uhm... no.

Just tested in Brave.
Used this page filling out a bogus user+password:
https://pathduck.github.io/test/login/

Credentials are available in a private window in Brave:

Used this page filling out some bogus info:
https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_input_test

Autofill triggers in a private window in Brave:

So Brave is no different than Vivaldi - autofill and credentials from a regular session are available in a private window.
And that's perfectly normal and perfectly safe.

Pathduck

@tarquin said in Security problem in vivaldi "private navigation":

Remember that like all Chromium-based browsers, Vivaldi has a setting to disable form auto-completion. Open chrome:settings/autofill in a new tab, and disable whatever features you want. This will affect both non-private and private browsing modes.

Actually there's no need to go into Chromium settings for this, Autofill can be controlled from Vivaldi Settings. These two option are directly linked:

tarquin

@Pathduck Thanks, edited my comment accordingly.

ericmelvin10

@Pathduck So the problem is crhonium.

tarquin

@ericmelvin10 No, the problem is that you are using the wrong feature. The feature you are looking for is called a Guest Profile. It is built in to Vivaldi. Click the profiles button to the right of the address field, and select "Open Guest Profile".

Pathduck

@ericmelvin10 said in Security problem in vivaldi "private navigation":

So the problem is crhonium.

Nope. Same in Firefox private windows:

Although FF is slightly different for autofill values, it requires an extra click inside the input field before the suggested values appear:

ericmelvin10

@tarquin said in Security problem in vivaldi "private navigation":

@ericmelvin10 No, the problem is that you are using the wrong feature. The feature you are looking for is called a Guest Profile. It is built in to Vivaldi. Click the profiles button to the right of the address field, and select "Open Guest Profile".

That's the answer... Thank you.