Vivaldi data leak - security concerns


  • Banned

    I really don't like the fact that Vivaldi is showing everybody my private data. Vivaldi browser is recording every single character I write - and it's showing it to everybody. When I log to vivaldi.net (or any other website) I can see all my logins (even incorrect ones, when I made typo writing my login). When I create new topic I can see all previous topics names I've written. When I report a bug I can see all my previous reports. And in email field I can see all emails - every mail adress anybody typed anywhere using my Vivaldi. And there's no option to stop this. Also Vivaldi is hiding the http part of URL - it's really dangerous (at least Vivaldi shows rest of the adress and not only domain name) and also inconvinient because URL moves to the right to make room for http when you try to change something in the adress. And I don't like the fact that Google spyig is enabled by default. At least you can turn it off at the moment. Vivaldi is also gathering data about us. But it's understandable - we are the free testers. I just hope it stops in final version :) My last concern is that link's URL is not visibe when you move cursor over it. It saved me many times from going to some worthless pages pretending to be helpfull link. You can see it on the bottom bar but it's really inconvinient because first you must look on the link and then keep pointer precise over it while you look at the bottom of the screeen. And it takes valuable space (curse you 16:9 screens, 16:10 is better). I hope the latest snapshot is dalayed because they're fixing this.



  • @hondac:

    My last concern is that link's URL is not visibe when you move cursor over it. It saved me many times from going to some worthless pages pretending to be helpfull link. You can see it on the bottom bar but it's really inconvinient because first you must look on the link and then keep pointer precise over it while you look at the bottom of the screeen. And it takes valuable space (curse you 16:9 screens, 16:10 is better).

    @kotoro:

    [attachment=1291]SS.png[/attachment]

    @23rd

    #footer.disabled{
    	 !important;
    	 !important;
    	padding:0 !important;
    	height:0 !important;
    	width:0 !important;
    }
    
    #footer.disabled > *{
    	 !important;
    }
    #footer.disabled #status_info{
    	 !important;
    }
    
    #footer.disabled #status_info span{
    	 !important;
    	bottom:0 !important;
    	left:0 !important;
    	margin:0 !important;
    	color:#333 !important;
    	background-color:#FEFEFE !important;
    	 5px !important;
    	border:#9E9E9E solid 0 !important;
    	 1px 0 0 !important;
    	 !important;
    	overflow: hidden !important;
    	white-space: nowrap !important;
    	text-overflow: ellipsis !important;
    	z-index:50 !important;
    }
    
    #footer.disabled #status_info {
    	 !important;
    }
    
    

    This code is working only when status bar disable.
    It's not perfect. Popup status info overlaps the panel.


  • Banned

    I meant something like this.

    And I want it be a feature of Vivaldi, not some hacking that stops working in next snapshot.

    But my main concern is Vivaldi recording everything.


  • Banned

    Please make it stop doing this.



  • @hondac:


    Also Vivaldi is hiding the http part of URL - it's really dangerous (at least Vivaldi shows rest of the adress and not only domain name) and also inconvinient because URL moves to the right to make room for http when you try to change something in the adress.
    ...

    Right now on my Ubuntu 15.04 system with Vivaldi 1.0.219.50 (Developer Build) unknown (64-bit) I can't confirm this behaviour as you can see on the first snapshot. If I click into the url the green part is reduced to the picture of the lock, so the url is moved to the left. (See 2nd snapshot.) Because the whole url is marked now, always I have to click again, if a detail needs to be changed.
    Attachments:
    ,


  • Vivaldi Translator

    I guess you are not familiar with Chrome or even what hacking involves.
    Or that using Alpha status software will involve strange and unwanted behaviour.
    If you do not want strange and unwanted behaviour, come back when the browser is finished.

    Vivaldi and the browser are not hacking you, just as Google and Microsoft are not hacking you.
    None of us here can see your private data, so your claim that "Everyone" can see it is false.
    If you are not logged into a Google account, then any data being sent home is not connected to a user.
    I don't know if Vivaldi have tied the browser to a Vivaldi account, but as there is no option to log the browser into an account, I doubt it.

    So where is the leak going ?

    If you are referring to auto-complete typing and predictive text and URLs from your history, then yes anyone looking over your shoulder can read it, just the same as if you typed it all manually.
    All we can hope is that Vivaldi get round to adding an easy to find, disable auto-complete option.

    Hiding parts of the URL is the default behaviour of Chrome, and has been complained about since it was introduced. Vivaldi have not added this, but hopefully they will change it, or add a user option.

    I see almost all links when I hover over them. This must be a problem with your install.
    What you show in your picture is not what the rest of us see.
    You have found bugs. Please fill out the bug report.
    https://vivaldi.com/bugreport/

    You should be more concerned about Chromes other abilities which you have not seen, such as the fact that Chrome sees all your local disk activity and files you open, and addresses visited with IE, but normally filters it from the history, so you don't see it.


  • Banned

    @RJules3
    You are using https, not http - try on wikipedia which supports both.

    @Dr.Flay

    @Dr.Flay:

    Vivaldi and the browser are not hacking you

    Where I said they are?

    @Dr.Flay:

    If you are referring to auto-complete typing and predictive text and URLs from your history

    I'm not referring to URLs - I refer to every text field. Go to bug report page and double click on mail field - you will see all mails ever typed on any website using Vivaldi (or click on first field to see list of your bug reports). Or try logging to vivaldi.net using some random name and password - Vivaldi browser will remember it. It will remember every character you type in text field. And show it to everybody. And there's no way to stop this.

    @Dr.Flay:

    so your claim that "Everyone" can see it is false.

    No, it's not. As you can see above. Just double clicking on text field reveals everything.

    @Dr.Flay:

    I see almost all links when I hover over them. This must be a problem with your install.
    What you show in your picture is not what the rest of us see.

    What I've shown in the picture is what I want to see - full URL when I move cursor over link. Now it's displayed on the bottom bar.


  • Moderator

    hondac - the things that are bothering you are essentially the operation of cookies. The are not security or information leaks, and the only persons who can read the data that concerns you are persons who can stand in the room with you and visually read your monitor.

    The data are, for the most part, stored on your hard drive and not at the remote sites, and cannot be seen by anyone who cannot view the GUI of your copy of Vivaldi. Cookies tell the website you "are" or "are not" logged in for instance, and then the website, if you "are" logged in, lets you see things like past posts. It would obviously be insane for a forum or blog website, for instance, to not store and display posts. That's a function of the site, not your browser.

    Long story short, YOU being able to see something is not the same as EVERYONE being able to see it - unless of course, your computer is completely insecure and viewable by everyone in the world, in which case you have MUCH bigger problems than your browser.


  • Banned

    It's not cookies. And if Vivaldi stores this data in cookies - then it's a serious problem because any website can access them.

    It's not person looking above my shoulder seeing what I'm typing at the moment. Anyone can see everything I EVER typed.
    Do you keep your computer in concret bunker in secret location? Don't you ever give it to your family member or friend to check something?
    I don't need to know what they type. And Vivaldi doesn't support private tabs. Even if it did it would still show my data.

    I will try to explain it to you in simple terms. I log to website A (webmail) and choose not to remember password. Then I write some comment on website B using different mail. And then I want to report a bug on Vivaldi bug tracked - and in email field I can see both mails (depite never using them there).
    You are writing about something completely different.

    Long story short - I don't want Vivaldi to record anything. Or at least option to switch it off (with 'no recording' enabled by default).


  • Moderator

    So it's really simple. You want Vivaldi to record nothing, because you cannot be bothered with physical security of your computer and you don't want anyone who has physical access to your computer to be able to learn anything from it. You should have just said so.

    This has nothing to do with security or information leak. It is merely your privacy preference and should be expressed as such.

    "I'm a private individual. I cannot be bothered with physical security of my machine. I only want to use browsers that record absolutely nothing of my browsing history or habits. I would like Vivaldi to come up with such an option."

    Actually, an option along these lines would seem to be likely to arise at some point.


  • Banned

    Are you so dumb or are you just pretending?
    I just don't want it to show this specific data (and record it).
    Instead you tell me to hire two guys with guns to physically guard my computer…

    What with other computers?
    I visit my friend. He has some unknown Vivaldi browser. I owe him some money so I log to my internet account (using one time password). Or just check facebook. In the process I leave him all my logins. It doesn't happen in any normal browser like old Opera or IE.

    Vivaldi is showing my data to everyone and there's no way to stop it so I called it a leak. I mentioned other security concerns.

    People has been asking for private tabs option for months - but it won't fully solve this problem.

    What's so hard stopping it recording everything? Just make it an option (disabled by default).


  • Moderator

    You're not going to get anywhere calling me names.

    Look at it this way: The options you want are not available YET.

    "What's so hard…?" The explanation is obvious to anyone who has done any development work, but too long to get into here. Suffice it to say altering the default behaviors of any software is fraught, not simple.

    So my recommendation to you is to stop using Vivaldi and wait a few months or a year or two until it has the options you want, and try it again. In the meantime you can use one of these "secure" browsers that makes you happy.

    And by the way - I have never had Vivaldi store a login that I didn't tell it to.


  • Banned

    I'm not calling you - I asked a question.

    I use Vivaldi for testing. My main browser is old Opera because it has best usability and speed. For the few problematic websites I use IE.
    After I started using Vivaldi (and tested other Blink based browsers) I've already encountered a few websites not working properly in Chromatic browsers (while working fine in aforementioned two).
    Chrome is on it's way to become disease worse than IE6.

    Just visit vivaldi.net, use some random characters as login and password (it doesn't need to be real login), and select not to remember login. Go to vivaldi.net again and double click in place where you write login - it will show you login you've written previously.


  • Moderator

    I do not find this to be the case.

    If I have logged in before successfully, and told it to store my login, it stores any SUCCESSFUL login after that, and stores no unsuccessful login. If I have never told it to store a login for a page, it does not do so - whether successful or unsuccessful. I cannot duplicate the behavior you describe.


  • Banned

    I've installed Vivaldi on clean install of Windows 10 - and Vivaldi records everything I ever typed.
    It's a default setting and it's not possible to change it.

    Here is one example.

    What's interesting, it's showing my email I used to report a bug, and another email I used on different site.

    Here is another.

    It shows my login from this website and my 2 logins from other unrelated sites (blacked out).
    And my other login I use on this site I suppose?

    It's not possible to switch it off.
    (And when Vivaldi asked I told it not to remember any login or password or form.)



  • You do not like autofill settings? Turn it off. Go to:

    vivaldi://settings/search#a

    and deactivate the wished options under passwords and forms.

    Most likely problem solved ;)



  • I generally assume that the list itself is protected by the fact that page JS is not allowed to access widgets' shadow DOMs.

    One wrinkle: To a user, it does look like it instantly fills them in if you mouse-hover over each suggestion possibility, or if you press down to cycle through the possibilies (testing right now in Ubuntu). So, out of curiosity, I decided to test whether the page can actually see any change in value when you hover or cycle through.

    So while on the bugreport page, I opened the browser console, and entered
    testInterval=window.setInterval(function(){console.log(document.getElementById('inputEmail').value);},500);
    then, in the bugreport page's email input box, I typed the first letter of several email addresses I use, and hovered over the entries in the list that appeared, and also tried cycling through them with the up and down keys.

    Thankfully, it appears from the console log that (although to a user it looks like things are getting substituted into the input box as you mouse hover over the listed possibilities) the page cannot actually see them until you actually click or hit Enter to select one of the suggested completions, so apparently all the listed entries are still safely kept in the widget's shadow DOM, inaccessible to the site, as it should be, and an entry only become visible to the page's own javascript when you actually actively choose it.

    Of course, if you accidentally click on one of the listed possibilities, then yes, a site could instantly pick that up.



  • Autofill is a normal function of a browser, as most people do like the fact that their search terms are remembered so they only need a single click to pick that suggestions up again for further use. Same with email addresses.

    So, this has nothing to do with weak security, this is just "by design"


  • Banned

    @Sajadi:

    You do not like autofill settings? Turn it off. Go to:

    vivaldi://settings/search#a

    and deactivate the wished options under passwords and forms.

    Most likely problem solved ;)

    Why isn't this option in the settings but hidden from the user?
    But the option doesn't delete already saved data - only hides it, you have to clean it yourself.

    Thanks, your single post was more informative than all the posts ever written by Ayespy.

    @Sajadi:

    Autofill is a normal function of a browser, as most people do like the fact that their search terms are remembered so they only need a single click to pick that suggestions up again for further use. Same with email addresses.

    So, this has nothing to do with weak security, this is just "by design"

    It is a really bad design. Especially that you can't turn it off and it shows all data (not only logins specific to particular site).

    What's the purpose of showing me my previous bug reports?
    Is it suggestion to send them again because they weren't fixed?

    Also I must complain about password manager.
    The one in old Opera was great - but the current one is not so great.
    It automatically puts login and password when I visit a website showing it to everybody (but not logs in…).
    It was much better in the old Opera with separate button for it - especially when using more than one login.



  • You can turn it off. Both autofill and password storage.

    To post it again:

    You do not like autofill settings? Turn it off. Go to:

    vivaldi://settings/search#a

    and deactivate the wished options under passwords and forms.

    Most likely problem solved ;)


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.