Amazon.com knows your password even when the browser hasn't stored the password

mib2berlin

@alowenst
Hi, was curious how other browser manage this and test Firefox as non Chromium browser. It does exactly the same as Vivaldi and Opera, for example.
It log you in automatically, even when you check never save passwords and uncheck "Remember me".
Do you know any browser manage this correctly?

Cheers, mib

alowenst

Komposten VIVALDI TRANSLATOR about 2 hours ago
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

If you are logged in in spite of those three things, then Amazon is definitely doing something wrong. Like saving a log in cookie even though there shouldn't be one. Sounds to me like a problem with Amazon and not with Vivaldi.

Yes, Amazon is bad. Vivaldi (and others) said that they wouldn't remember password if the user so directed. That is a lie. Vivaldi won't remember if the web site is implemented properly. If Amazon is implemented improperly, what is the probably of other (non IT) companies having a problem?

I'm not saying that an ordinary user should have to verify these three things in order to be logged out. They should be able to expect that leaving "Keep me signed in" unchecked will cause them to be logged out when they close the browser. If that is not the case, then Amazon is doing something wrong (as mentioned above). Vivaldi could implement a hack that ensures that a user is logged out automatically if "Keep me signed in" is unchecked, but that would be ugly, unexpected and Amazon-specific.

Yes, Amazon has a problem. Other websites will also have the same problem. If you can't implemented a solution properly (see discussion above about ads and trackers), then another approach is needed. Yes, Vivaldi doesn't have the clout of Chrome, Firefox, and Microsoft Edge to force an industry change, but you guys are good. That's why I use your browser. That's why I've taken all this time to address the issue on the Vivaldi forum. You guys have been responsive and care. Look at all the talk. But the fact that this is everyone's problem, does not mean that Vivaldi can't be a leader on this issue. Maybe, Vivaldi's leadership on such an important issue could lead to Vivaldi having greater recognition/visibility, a reputation for excellence, and market share.

Those sites are doing things the way they should be done -- they prevent access to sensitive information after longer periods of time by requiring the user to re-enter their password. That is how I would expect a website handling sensitive information to behave.

As you say, a website could change its code so that whatever experiments you do no longer apply. Similarly, if Vivaldi implements a hack that ensures you're logged out from Amazon, Amazon could just change how they do things and that hack is now useless. The best Vivaldi could do to would be to add a popup with an option to "Clear all data for this website when Vivaldi is closed". That would pretty much guarantee that you are signed out, but would also affect other site-specific settings (cookie policy choice, theme, etc.) and could thus not be marketed as a "log me out" option (leading to your average user not using it).

Yes. That is why I brought up how Browsers handle ads and trackers. Again, I offer that solution as a last resort.

End of the day, it is up to the user to trust the website. And if the website provides a function (keep me signed in) that doesn't work, that should be taken up with the company behind that website. If you don't trust the site, don't give it your information in the first place. Personally, I never save credit card information on any website, whether it's Amazon, Steam, or any other (more or less) reputable company.

Here we strongly disagree. We know we can't trust any website. The compromise of SolarWinds compromised virtually everything. The CIA and NSA were hacked. Yes, I avoid giving my credit card information whenever possible. That's why I use Paypal. It is not that I 100% trust Paypal, it's that I need to use Paypal sometimes, so using Paypal reduces the number of vendors to whom I've exposed the credit card. Also, I certainly don't trust a site to forgot my credit card. That's a promise contingent upon a company's honesty, competence, and back up practices.

I also feel like I should mention that while I have a badge saying "Vivaldi Translator", I'm not a Vivaldi employee and I don't speak for the company. These posts are based on my personal knowledge and opinions. (You may already know this, but I felt like it's worth mentioning.)

Thanks for your comments. Many will have your thoughts. You gave me a chance to clarify issues that others care about. As stated above, I take it as a compliment that people on this Vivaldi forum have been responsive.

Komposten

It's getting late here so I don't have time to read through and reply to your full post, but I'd like to say this at least:

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

Yes, Amazon is bad. Vivaldi (and others) said that they wouldn't remember password if the user so directed. That is a lie.

Vivaldi doesn't remember the password. Vivaldi doesn't even know that you are logged in to Amazon. So Vivaldi doesn't technically lie.

This is the whole problem here. Vivaldi can't fix something that Vivaldi isn't aware of, not without hardcoded fixes for specific sites or general-purpose tools that do more than log you out.

Of course, being one of the most inventive browser teams there are, I wouldn't be surprised if the Vivaldi team actually manages to find a solution to this. I just personally can't find an obvious one.

alowenst

@Komposten said in Amazon.com knows your password even when the browser hasn't stored the password:

Vivaldi doesn't remember the password. Vivaldi doesn't even know that you are logged in to Amazon. So Vivaldi doesn't technically lie.
This is the whole problem here. Vivaldi can't fix something that Vivaldi isn't aware of, not without hardcoded fixes for specific sites or general-purpose tools that do more than log you out.
Of course, being one of the most inventive browser teams there are, I wouldn't be surprised if the Vivaldi team actually manages to find a solution to this. I just personally can't find an obvious one.

Here's what Vivaldi can tomorrow. When you select never save the password, Vivaldi could say:

I can't do that unless I (Vivaldi) block persistent cookies for that website. Do you want to never save the password and block persistent cookies for this site? Yes or no.

There are probably 100 better methods. I doubt this is the best. But it is one that should work even if a web site has bad password hygiene.

And Vivaldi could be the leader who presents this to industry for a better fix (which I guess involves a tracker/advertisement class fix.)

derDay

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

Yes, I avoid giving my credit card information whenever possible. That's why I use Paypal. It is not that I 100% trust Paypal, it's that I need to use Paypal sometimes, so using Paypal reduces the number of vendors to whom I've exposed the credit card.

I hate me for being off topic but your opinion is a kind of ironic if you look at how many companies paypal exchanges your data with (hint: 500+):
https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list

LonM

I would be interested to know how you became aware that amazon remembers your password.

You said that you only noticed when you saw you were already logged in, but as you noted earlier, you can do that with cookies,no need for the password.

You also said you want cookies to remain as they are useful. I assume that's because they keep you logged in?

I'm not trying to be facetious, I am just having trouble seeing the problem.

Amazon are not my favourite company but I imagine as a big tech firm they probably are doing property password security. If you have proof of the opposite you should disclose it to them directly. Vivaldi can't do much about that.

Komposten

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

Here's what Vivaldi can tomorrow. When you select never save the password, Vivaldi could say:
I can't do that unless I (Vivaldi) block persistent cookies for that website. Do you want to never save the password and block persistent cookies for this site? Yes or no.

I still don't think this is necessary. If you choose "Never save the password", Vivaldi does not save the password. Vivaldi is not lying. You're not being logged in to Amazon automatically; it's Amazon that remembers that you are logged in (not your password).

alowenst

@derDay
I hate me for being off topic but your opinion is a kind of ironic if you look at how many companies paypal exchanges your data with (hint: 500+):
https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list

Thanks. I never heard or thought of that. I like to be reminded how stupid and naive I can be. Of course, paypal would monetize that. But, I will still use paypal and trade-off credit card exposure versus privacy (which is lost by so many other things, not the least of which is Amazon.)

alowenst

Komposten VIVALDI TRANSLATOR about 8 hours ago
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

I still don't think this is necessary. If you choose "Never save the password", Vivaldi does not save the password. Vivaldi is not lying. You're not being logged in to Amazon automatically; it's Amazon that remembers that you are logged in (not your password).

Please correct if I'm wrong and putting words in your mouth. You think it is OK to offer a feature that says never save passwords when (a) you know it doesn't work sometimes, (b) you know when and why it doesn't work, (c) you know a major web site on which it doesn't work, (d) you don't think it's important to warn the user there may be a problem, and (e) Vivaldi provides several mechanism showing that Vivaldi hasn't save the password, but nevertheless the password has been saved.

Since I'm sure I'm mistaken and have misrepresented your view, please correct this response.

nomadic

@alowenst The thing that we are trying to say is that a password isn't being saved. A logged in state is being stored in a cookie, but no password is being saved.

The Never save passwords option seems like it is working as it should based on what you said. With that option it should not be saving passwords in the internal password manager or asking you to save passwords.

Providing a warning for Amazon specifically would not be beneficial because just about all websites will work the same way. There are some more sensitive websites that invalidate the cookie storing the logged in state after a short period of time, but most websites have much longer durations before the cookie is invalidated.

The only issue that looks to be in question here is the unchecking of the keep me logged in option on Amazon. If you have that unchecked and a restart of the browser doesn't invalidate your login, then that could be a bug.

TbGbe

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

when (a) you know it doesn't work sometimes

It does work - saving the name/password is NOT your problem!

(b) you know when and why it doesn't work

There is no evidence that "don't save password" has failed

(c) you know a major web site on which it doesn't work

Sorry, but again that is not your problem!

(d) you don't think it's important to warn the user there may be a problem

Again, saving password(s) is not the problem

(e) Vivaldi provides several mechanism showing that Vivaldi hasn't save the password, but nevertheless the password has been saved.

No it hasn't!!

Since I'm sure I'm mistaken

This is what I believe is happening.

When you login to a site (using name/password) the site is setting a persistent cookie which contains something saying an encoded form of this is "user 1234A5678B9ABCD" (or whatever).

If this cookie is not removed on leaving the site/closing the browser, then next time you visit the site it reads the cookie and recognises you as "user 1234A5678B9ABCD".

The MAJOR point is that nowhere has your name/password been saved!
What is being saved is your "userid" for that site.

Please note : No other (unaffiliated) site could read this information.

I appreciate you may see this as a technicality, but the point is that a browser cannot decode the cookie(s) to determine which one a site is using as the user identification!
The only solutions are:-

1. The site does NOT use persistent cookies for user id.
2. The browser does not store persistent cookies.

Vivaldi has no control over option 1). You have to complain to the site about this!

Vivaldi can perform option 2) if you choose the setting "session cookies"; but that would remove ALL cookies for that site as previously stated.

Also, Google does a similar thing for Google email(s)/Youtube etc!!

alowenst

I thought about the problem overnight. Here's an approach for a global solution. (I know diddly about Web programming, but I was a chairman of subcommittees responsible for VHDL. So, feel to throw out and ignore all of the following. Feel free to use or abuse the following. I view that my job is only to stimulate discussion.)

1. Right now, Browsers apparently know when password stuff is happening, otherwise they wouldn't be able to ask to save a password.

2. Some web sites handle the password problem properly. One or more of those method should be used to develop a Login API. A browser-side API implementation can insure that passwords are handled properly on the browser's hardware. As long as a Web site developer uses the API, the Browser can implement a never save password function.

3. When password stuff is happening,
   a. If the web site uses the well-tested, widely reviewed Login API (which does not exist today), life is good.
   b. If the web site doesn't, then do something as good as or hopefully better than what I suggested above in the post Here's what Vivaldi can do tomorrow.
   c. By the way, if this is a good idea and if this is done, there will be____ not might be____ a phase-in period where some web sites handle the Login API and others do not. So there must be a (3b) option.

4. The Login API should be developed by knowledgeable Web developers not me. I provide the following suggestions only to stimulate discussion. The API should:
   a. Handle passwords. (I don't know what this means, I'm way over my head here. Perhaps, ensure encryption, control who can access the password, ???)
   b. Optionally allow the Web site to logout the user if there is no activity in xx minutes
   c. Ask the user whether to save the password, never save the password, or don't save the password now.
   d. Optionally allow the Web site to ask the user to confirm the password
   e. ??maybe?? Something to handle two (or 3?) factor authentication, e.g., getting a phone call or text
   f. ????

5. Should there be one or multiple Login APIs? I think the most important consideration is political. If you can get consensus on one API do that. If not, then allow as many needed to achieve consensus.

6. Disadvantage of one API. A widely-used API for handling passwords will___ not might___ be attacked by hackers. Validating the API and API implementation is critical. However, there are many methods and targets to attack in any Browser, and how much additional risk a Login API introduces should be determined by more knowledgeable people than I. And this should be done before wasting time on the ideas in this post.

7. Here's an objection. OK, Vivaldi developed an API, it works well, however, no web site uses it, because Vivaldi is not as popular as Chrome, Microsoft Edge, Firefox, Safari, ... What a waste of time and effort.

Here's an approach to address this existential problem. Let's assume that I'm at least somewhat right and this password issue is serious problem. Let's further assume that at least some managers and developers at Chrome, Microsoft Edge, Firefox, and Safari recognize that this is a problem and care about fixing the problem. Then, if Vivaldi offers a solution for Chromium browsers, then I expect a viable solution, perhaps even Vivaldi's, can be achieved. If Chromium browsers buy in to a solution, I believe others will follow.

==========
TbGbe stated:
This is what I believe is happening.

When you login to a site (using name/password) the site is setting a persistent cookie which contains something saying an encoded form of this is "user 1234A5678B9ABCD" (or whatever).

If this cookie is not removed on leaving the site/closing the browser, then next time you visit the site it reads the cookie and recognises you as "user 1234A5678B9ABCD".

Just read this excellent comment.

If this is the problem, then 4a in the above solution should ensure that Login API handles the creation and destruction of "user 1234A5678B9ABCD" cookies. (Note what I said about my expertise in 4a.)

A digression. This is interesting. I think you are saying some web sites allow you bypass login if you have something like a static "user 1234A5678B9ABCD" cookie. The cookie can be a session or persistent cookie. Could this cookie be copied to an installation of the browser on another computer? And could someone on the second computer access the web site account without logging in? So could someone with access to a computer, access password protected accounts of web sites that use persistent "user 1234A5678B9ABCD" cookies? Or does this cookie have some mechanism to prevent its use on another platform?

Crimsonshade

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

A digression. This is interesting. I think you are saying some web sites allow you bypass login if you have something like a static "user 1234A5678B9ABCD" cookie. The cookie can be a session or persistent cookie. Could this cookie be copied to an installation of the browser on another computer? And could someone on the second computer access the web site account without logging in? So could someone with access to a computer, access password protected accounts of web sites that use persistent "user 1234A5678B9ABCD" cookies? Or does this cookie have some mechanism to prevent its use on another platform?

Yes, if a cookie were copied to another PC, it could potentially be used to make the site think you were logged in on the other PC - and in fact, this has been exploited in the past. For this reason, modern websites and web systems never rely on purely the cookie data to determine who is logged in. Instead, many websites now use what is known as "Session Identifiers", where various other clues, such as when you first logged in, the declared User Agent string of the browser you're using, your IP address and other details are stored by the site (typically in a hashed form for privacy reasons); and every time you perform an action, the software checks these details and compares them to what it has recorded. If it finds something has changed, it declares the session "invalid", and forcibly deletes the cookie and logs you out. (I am grossly simplifying here, but you get the general idea.)

alowenst

Thanks for the answer. And thank goodness some (almost all?) web sites address this issue.

Komposten

@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:

Please correct if I'm wrong and putting words in your mouth. You think it is OK to offer a feature that says never save passwords when (a) you know it doesn't work sometimes, (b) you know when and why it doesn't work, (c) you know a major web site on which it doesn't work, (d) you don't think it's important to warn the user there may be a problem, and (e) Vivaldi provides several mechanism showing that Vivaldi hasn't save the password, but nevertheless the password has been saved.

Since I'm sure I'm mistaken and have misrepresented your view, please correct this response.

a) Vivaldi's password manager works as advertised. If you tell it not to save your password, it won't save your password.
b) See a.
c) It works on all websites, including Amazon.
d) Yes, that is important. But as there is no problem with the password manager it shouldn't need to warn users. The problem is with Amazon.
e) The password has not been saved. It does not exist in the password manager and it does not exist in any cookies.

I think (e) is the big misconception here. Vivaldi's password manager stores passwords. Cookies do not store passwords. You are not being logged in because your password is stored, you are being logged in because Amazon generates a unique token (that has nothing to do with your password), stores that in a cookie, and uses that the next time you open Amazon to see that "the user who has token X is supposed to be logged in".

Right now, Browsers apparently know when password stuff is happening, otherwise they wouldn't be able to ask to save a password.

The user writes something into a text field set to "password mode" and then submits. This means that the browser knows that the text value the user has submitted is a secret that might be a password. That's the extent of the browser's knowledge. It does not know if the web server, in response to the submission, places a session/authentication/login cookie in the browser.

Of course, if the browser implemented an API it would be possible for the server to respond in a way so that the API knows a session/authentication/login cookie has been placed. So using a login API would definitely be feasible and put more power in the hands of the browser when it comes to managing logins. You just have to keep in mind that logins work both through passwords (like Vivaldi's password manager) and tokens (via cookies created by web servers) so the API would have to manage both those things.