Amazon.com knows your password even when the browser hasn't stored the password
-
I have told the browser to not remember the password for Amazon on Vivaldi, Firefox, Chrome, and Microsoft Edge. I've checked the settings on these browsers to ensure I did this correctly. I checked saved passwords in each of these browsers, and the Amazon password is not listed.
However, if I don't logout from Amazon and subsequently go to the Amazon.com, I am automatically logged in even if I restart the browser, indeed, even if I restart the computer and browser. What is happening? Where is this information being stored? An Amazon cookie? Who should be contacted to have this fixed? I asked Bruce Schneier and he said he didn't know.
Al Lowenstein
516 921 8097 -
@alowenst
I don't know if this is a troll thread or not
but of course, the login info is stored in cookie, so if you delete them for example withCTRL+SHIFT+DEL
or set them only for the session in the settings - privacy, then the login info is gone away -
Exactly.
You must delete at least 'cookies' and probably 'form autofill data' (possibly even more). -
Every browser that I use contains a feature that asks if you want to remember a password. If I select "Do not remember password", the password must not be remembered. However, Amazon does remember. Clearly, Amazon should change how they handle cookies.
But that begs a much bigger important issue. If a Browser provides a "Do not remember password" feature (and it should), that feature should work. If it doesn't work properly (e.g., like "Do not Track" which send a request to "Do not Track", but the web site can ignore the request), that should be clearly stated. However, a Browser explicitly lists the web sites which I have instructed it to "Do not remember password", and until I encountered this problem, I assumed the password was not remembered. Now, I know anyone who gains access to my phone/LaptopComputer can do significant damage if the sloppy cookie practices of Amazon are not prevented. Yes, I can, should, and have been explicitly logging out of most important web sites. But that begs the issue. If I say "Do not remember", that setting should be enforced, or if it can't be enforced, the Browser must not imply that the password is not remembered.
Thanks for the explanation of session versus persistent cookies, it does explain what is happening. However, persistent cookies must NOT remember passwords if I told the Browser to not remember the password for that site. I have found no other site, where the password provides access to financial, credit card, or medical data that remembers passwords between sessions.
Before your response, I thought this was an Amazon problem. Now, I think it is____ and much more importantly____ a critical browser problem. Thank you for the quick intelligent response.
-
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:
Every browser that I use contains a feature that asks if you want to remember a password. If I select "Do not remember password", the password must not be remembered. However, Amazon does remember. Clearly, Amazon should change how they handle cookies.
If your browser asks if it should remember a password, it means that the browser has a built-in password manager which will store the log in information for the given site. This means that next time you need to log in to that site Vivaldi can fill in the username and password for you. This is not the same thing as a website placing a cookie on your browser to remember that you are logged in (in that case neither you nor your browser needs to provide your password).
Storing a cookie to maintain a logged in state is standard practice on pretty much every website that provides a log in system. Your password is not stored in the cookie, instead it's usually some kind of unique token used to identify you. Vivaldi cannot selectively prevent websites from storing such tokens since Vivaldi has no way to determine which cookies store tokens and which store other values; if you want to block them, you have to block all cookies (or find the correct cookie yourself and block it manually).
Now, if you don't want Amazon to place a cookie to remember your account, just uncheck the "Keep me signed in" checkbox when you log in. (If that doesn't work and you haven't saved the password with Vivaldi's password manager, then it must be Amazon placing the login cookie in spite of you telling them not to.)
If Amazon gives access to sensitive information (like addresses and credit card information) across browser/computer restarts because it remembers your login, then that is a security issue in Amazon and not Vivaldi. They should require that you provide your password again before such information can be accessed (even if you are logged in).
Edit: Just to clarify, even if you uncheck "Keep me signed in", a website will still place a cookie on your device to indicate that you are logged in. Normally that cookie should be set to expire when you close your browser (i.e. end the session) or after a short amount of time. This is required, because without a cookie you'd be logged out automatically as soon as you refresh the page or click on any link on it (because your browser would have no way of identifying itself to the server to prove that you are logged in).
-
If your browser asks if it should remember a password, it means that the browser has a built-in password manager which will store the log in information for the given site. This means that next time you need to log in to that site Vivaldi can fill in the username and password for you. This is not the same thing as a website placing a cookie on your browser to remember that you are logged in (in that case neither you nor your browser needs to provide your password).
Yes.
Storing a cookie to maintain a logged in state is standard practice on pretty much every website that provides a log in system. Your password is not stored in the cookie, instead it's usually some kind of unique token used to identify you. Vivaldi cannot selectively prevent websites from storing such tokens since Vivaldi has no way to determine which cookies store tokens and which store other values; if you want to block them, you have to block all cookies (or find the correct cookie yourself and block it manually).
Yes.
Now, if you don't want Amazon to place a cookie to remember your account, just uncheck the "Keep me signed in" checkbox when you log in. (If that doesn't work and you haven't saved the password with Vivaldi's password manager, then it must be Amazon placing the login cookie in spite of you telling them not to.)
ee89c053-eda6-4ac7-9d33-028cad292a1f-image.pngYes. I did both, and yes Amazon is doing something dubious.
And that is a major problem. I have (a) unchecked the "Keep me signed in" on the web site, (b) asked the browser to "Do not remember password", and (c) checked the browser settings to ensure that the web site and login information is not listed. I have taken three (3!!!) steps to tell the web site to not remember the password, yet all browsers I've checked (Vivaldi, Firefox, Chrome, and Microsoft Edge) remember the password. Please, please, I hope you aren't saying that taking 3 explicit steps to prevent remembering passwords is insufficient. Other sites that I visit do not have this problem. If you are telling me a Browser can't stop this, then that is a major problem.
Advertising and tracking are major problems that Browsers didn't address and third party extensions (e.g., Adware, UBlock, Ghostery) stepped in. One of Vivaldi's features is built-in handling of advertising and tracking problems. One way this is done is by identifying responsible web sites that are well behaved and can be trusted. If you are right and there is no way for a Browser to handle good password hygiene, then perhaps we need an extension/TrustedGroup/TrustedList that can warn if a site isn't a known good site for password hygiene.
If Amazon gives access to sensitive information (like addresses and credit card information) across browser/computer restarts because it remembers your login, then that is a security issue in Amazon and not Vivaldi. They should require that you provide your password again before such information can be accessed (even if you are logged in).
I hope you are not saying that an ordinary user should realize that three (3!!!) explicit actions mean nothing, and those actions are merely requests that can be and, apparently, in case of Amazon (a respected and trusted web site) are being ignored. That is egregious and deceitful. That is very bad service to the public.
Edit: Just to clarify, even if you uncheck "Keep me signed in", a website will still place a cookie on your device to indicate that you are logged in. Normally that cookie should be set to expire when you close your browser (i.e. end the session) or after a short amount of time. This is required, because without a cookie you'd be logged out automatically as soon as you refresh the page or click on any link on it (because your browser would have no way of identifying itself to the server to prove that you are logged in).
I visit many web sites with financial and medical information which have good hygiene. Most automatically logout after a time period of inactivity. I have not experienced this issue at any other site. But I hope you don't expect every user to have to do the experiments I did on every site to check that a site has good hygiene. And, since a site could change code, inadvertently or vertently, even performing such experiments doesn't prevent a bad update to the web site from introducing bad hygiene. If this issue is not addressed, another respected and trusted web site will have bad hygiene (perhaps after an update by new/inexperienced employee), and bad actors will figure out how to introduce/exploit this problem.
-
@alowenst There are several steps you can do to make sure the browser is not storing passwords or cookies for a site.
Unfortunately some of these settings are not yet in the Vivaldi UI so you have to use Chromium URLs to access them.
- Go to
chrome://settings/passwords
, go through the list and make sure there's no saved password for Amazon. - On the same page, scroll to the bottom and check if Amazon is listed under "Never Saved". If you've selected to not save it should be listed there.
- Go to
chrome://settings/cookies
and under "Always clear cookies..." click Add and enter[*.]amazon.com
. This will clear cookies only from Amazon when the browser is closed. - Another option, as mentioned earlier, in Vivaldi Settings > Privacy > Cookies, if you set Accept Cookies to "Session Only" then all cookies from all sites will be cleared when the browser exits. IMO not a good idea as you might want to stay signed in to some sites.
- Yet another option is to use an extension like Cookie AutoDelete to whitelist a set of sites you want to keep cookies from, deleting everything else when their tab is closed.
As you can see, there are many options to accomplish what you want. It might seem a bit complicated and you're right in that it can't be expected of ordinary users to understand this in detail. But ordinary users do not have your requirement to clear cookies from a specific site and not save passwords. Most user find these things convenient and the browser has to accommodate those users first because that's what they expect.
I hope also the posts above have cleared up your little misunderstanding on the difference between cookies and passwords.
- Go to
-
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:
Yes. I did both, and yes Amazon is doing something dubious.
And that is a major problem. I have (a) unchecked the "Keep me signed in" on the web site, (b) asked the browser to "Do not remember password", and (c) checked the browser settings to ensure that the web site and login information is not listed. I have taken three (3!!!) steps to tell the web site to not remember the password, yet all browsers I've checked (Vivaldi, Firefox, Chrome, and Microsoft Edge) remember the password. Please, please, I hope you aren't saying that taking 3 explicit steps to prevent remembering passwords is insufficient. Other sites that I visit do not have this problem. If you are telling me a Browser can't stop this, then that is a major problem.
If you are logged in in spite of those three things, then Amazon is definitely doing something wrong. Like saving a log in cookie even though there shouldn't be one. Sounds to me like a problem with Amazon and not with Vivaldi.
I hope you are not saying that an ordinary user should realize that three (3!!!) explicit actions mean nothing, and those actions are merely requests that can be and, apparently, in case of Amazon (a respected and trusted web site) are being ignored. That is egregious and deceitful. That is very bad service to the public.
I'm not saying that an ordinary user should have to verify these three things in order to be logged out. They should be able to expect that leaving "Keep me signed in" unchecked will cause them to be logged out when they close the browser. If that is not the case, then Amazon is doing something wrong (as mentioned above). Vivaldi could implement a hack that ensures that a user is logged out automatically if "Keep me signed in" is unchecked, but that would be ugly, unexpected and Amazon-specific.
I visit many web sites with financial and medical information which have good hygiene. Most automatically logout after a time period of inactivity. I have not experienced this issue at any other site. But I hope you don't expect every user to have to do the experiments I did on every site to check that a site has good hygiene. And, since a site could change code, inadvertently or vertently, even performing such experiments doesn't prevent a bad update to the web site from introducing bad hygiene. If this issue is not addressed, another respected and trusted web site will have bad hygiene (perhaps after an update by new/inexperienced employee), and bad actors will figure out how to introduce/exploit this problem.
Those sites are doing things the way they should be done -- they prevent access to sensitive information after longer periods of time by requiring the user to re-enter their password. That is how I would expect a website handling sensitive information to behave.
As you say, a website could change its code so that whatever experiments you do no longer apply. Similarly, if Vivaldi implements a hack that ensures you're logged out from Amazon, Amazon could just change how they do things and that hack is now useless. The best Vivaldi could do to would be to add a popup with an option to "Clear all data for this website when Vivaldi is closed". That would pretty much guarantee that you are signed out, but would also affect other site-specific settings (cookie policy choice, theme, etc.) and could thus not be marketed as a "log me out" option (leading to your average user not using it).
End of the day, it is up to the user to trust the website. And if the website provides a function (keep me signed in) that doesn't work, that should be taken up with the company behind that website. If you don't trust the site, don't give it your information in the first place. Personally, I never save credit card information on any website, whether it's Amazon, Steam, or any other (more or less) reputable company.
I also feel like I should mention that while I have a badge saying "Vivaldi Translator", I'm not a Vivaldi employee and I don't speak for the company. These posts are based on my personal knowledge and opinions. (You may already know this, but I felt like it's worth mentioning.)
-
@alowenst
now I think, what you want is that form fields are not saved. So you have a fourth setting, which have to be disabled (but it affects the whole browser, not amazon only).open
chrome://settings/addresses
(yes, chrome) and disable this option -
answer commenters one at a time
Pathduck about 2 hours ago
There are several steps you can do to make sure the browser is not storing passwords or cookies for a site.
Yes that's true. However, I want to allow persistent cookies for Amazon, and I don't want to remember passwords____ especially when I take 3 explicit steps to deny the saving of passwords. You are saying I have to take a fourth step, disallow cookies, which will prevent me from using persistent cookies for Amazon which are convenient and useful.
If I can inappropriately and with apologies put words in your mouth, are you saying there is an error in Vivaldi: that when Vivaldi is asked to "Never remember passwords", it must also disallow cookies, because there is no other way for Vivaldi to properly implement the function?
Unfortunately some of these settings are not yet in the Vivaldi UI so you have to use Chromium URLs to access them.
Go to chrome://settings/passwords, go through the list and make sure there's no saved password for Amazon.
On the same page, scroll to the bottom and check if Amazon is listed under "Never Saved". If you've selected to not save it should be listed there.Thanks for the info on settings. I didn't know that. This is useful.
Go to chrome://settings/cookies and under "Always clear cookies..." click Add and enter [.]amazon.com. This will clear cookies only from Amazon when the browser is closed.*
I want persistent Amazon cookies, so this doesn't address the issue.
Another option, as mentioned earlier, in Vivaldi Settings > Privacy > Cookies, if you set Accept Cookies to "Session Only" then all cookies from all sites will be cleared when the browser exits. IMO not a good idea as you might want to stay signed in to some sites.
Yet another option is to use an extension like Cookie AutoDelete to whitelist a set of sites you want to keep cookies from, deleting everything else when their tab is closed.Thanks. I did not know about Cookie AutoDelete. I installed it and will white list sites one at a time. If it works as well as the reviews state, I will install on other browers/computers.
As you can see, there are many options to accomplish what you want. It might seem a bit complicated and you're right in that it can't be expected of ordinary users to understand this in detail. But ordinary users do not have your requirement to clear cookies from a specific site and not save passwords. Most user find these things convenient and the browser has to accommodate those users firs t because that's what they expect.
I hope also the posts above have cleared up your little misunderstanding on the difference between cookies and passwords.
Thanks for info. I learned a lot. None of this addresses this major security issue. Yes, this is the way many of the best browser have always worked. That doesn't mean that there isn't a password security issue.
Yes, I can prevent persistent cookies to address the problem. But if that's the only way to address the problem, then isn't it essential that "Do not remember password" must require disabling of persistent cookies for that website, or else the feature simply does not work in such cases as I've enumerated.
However, you have not cleared up my little misunderstanding. I think password security is a critical function. I do think there is a problem when three different methods to forget a password don't even work in combination, when each should work by itself independent of other setting.
-
@alowenst
Hi, was curious how other browser manage this and test Firefox as non Chromium browser. It does exactly the same as Vivaldi and Opera, for example.
It log you in automatically, even when you check never save passwords and uncheck "Remember me".
Do you know any browser manage this correctly?Cheers, mib
-
Komposten VIVALDI TRANSLATOR about 2 hours ago
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:If you are logged in in spite of those three things, then Amazon is definitely doing something wrong. Like saving a log in cookie even though there shouldn't be one. Sounds to me like a problem with Amazon and not with Vivaldi.
Yes, Amazon is bad. Vivaldi (and others) said that they wouldn't remember password if the user so directed. That is a lie. Vivaldi won't remember if the web site is implemented properly. If Amazon is implemented improperly, what is the probably of other (non IT) companies having a problem?
I'm not saying that an ordinary user should have to verify these three things in order to be logged out. They should be able to expect that leaving "Keep me signed in" unchecked will cause them to be logged out when they close the browser. If that is not the case, then Amazon is doing something wrong (as mentioned above). Vivaldi could implement a hack that ensures that a user is logged out automatically if "Keep me signed in" is unchecked, but that would be ugly, unexpected and Amazon-specific.
Yes, Amazon has a problem. Other websites will also have the same problem. If you can't implemented a solution properly (see discussion above about ads and trackers), then another approach is needed. Yes, Vivaldi doesn't have the clout of Chrome, Firefox, and Microsoft Edge to force an industry change, but you guys are good. That's why I use your browser. That's why I've taken all this time to address the issue on the Vivaldi forum. You guys have been responsive and care. Look at all the talk. But the fact that this is everyone's problem, does not mean that Vivaldi can't be a leader on this issue. Maybe, Vivaldi's leadership on such an important issue could lead to Vivaldi having greater recognition/visibility, a reputation for excellence, and market share.
Those sites are doing things the way they should be done -- they prevent access to sensitive information after longer periods of time by requiring the user to re-enter their password. That is how I would expect a website handling sensitive information to behave.
As you say, a website could change its code so that whatever experiments you do no longer apply. Similarly, if Vivaldi implements a hack that ensures you're logged out from Amazon, Amazon could just change how they do things and that hack is now useless. The best Vivaldi could do to would be to add a popup with an option to "Clear all data for this website when Vivaldi is closed". That would pretty much guarantee that you are signed out, but would also affect other site-specific settings (cookie policy choice, theme, etc.) and could thus not be marketed as a "log me out" option (leading to your average user not using it).
Yes. That is why I brought up how Browsers handle ads and trackers. Again, I offer that solution as a last resort.
End of the day, it is up to the user to trust the website. And if the website provides a function (keep me signed in) that doesn't work, that should be taken up with the company behind that website. If you don't trust the site, don't give it your information in the first place. Personally, I never save credit card information on any website, whether it's Amazon, Steam, or any other (more or less) reputable company.
Here we strongly disagree. We know we can't trust any website. The compromise of SolarWinds compromised virtually everything. The CIA and NSA were hacked. Yes, I avoid giving my credit card information whenever possible. That's why I use Paypal. It is not that I 100% trust Paypal, it's that I need to use Paypal sometimes, so using Paypal reduces the number of vendors to whom I've exposed the credit card. Also, I certainly don't trust a site to forgot my credit card. That's a promise contingent upon a company's honesty, competence, and back up practices.
I also feel like I should mention that while I have a badge saying "Vivaldi Translator", I'm not a Vivaldi employee and I don't speak for the company. These posts are based on my personal knowledge and opinions. (You may already know this, but I felt like it's worth mentioning.)
Thanks for your comments. Many will have your thoughts. You gave me a chance to clarify issues that others care about. As stated above, I take it as a compliment that people on this Vivaldi forum have been responsive.
-
It's getting late here so I don't have time to read through and reply to your full post, but I'd like to say this at least:
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:
Yes, Amazon is bad. Vivaldi (and others) said that they wouldn't remember password if the user so directed. That is a lie.
Vivaldi doesn't remember the password. Vivaldi doesn't even know that you are logged in to Amazon. So Vivaldi doesn't technically lie.
This is the whole problem here. Vivaldi can't fix something that Vivaldi isn't aware of, not without hardcoded fixes for specific sites or general-purpose tools that do more than log you out.
Of course, being one of the most inventive browser teams there are, I wouldn't be surprised if the Vivaldi team actually manages to find a solution to this. I just personally can't find an obvious one.
-
@Komposten said in Amazon.com knows your password even when the browser hasn't stored the password:
Vivaldi doesn't remember the password. Vivaldi doesn't even know that you are logged in to Amazon. So Vivaldi doesn't technically lie.
This is the whole problem here. Vivaldi can't fix something that Vivaldi isn't aware of, not without hardcoded fixes for specific sites or general-purpose tools that do more than log you out.
Of course, being one of the most inventive browser teams there are, I wouldn't be surprised if the Vivaldi team actually manages to find a solution to this. I just personally can't find an obvious one.Here's what Vivaldi can tomorrow. When you select never save the password, Vivaldi could say:
I can't do that unless I (Vivaldi) block persistent cookies for that website. Do you want to never save the password and block persistent cookies for this site? Yes or no.
There are probably 100 better methods. I doubt this is the best. But it is one that should work even if a web site has bad password hygiene.
And Vivaldi could be the leader who presents this to industry for a better fix (which I guess involves a tracker/advertisement class fix.)
-
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:
Yes, I avoid giving my credit card information whenever possible. That's why I use Paypal. It is not that I 100% trust Paypal, it's that I need to use Paypal sometimes, so using Paypal reduces the number of vendors to whom I've exposed the credit card.
I hate me for being off topic but your opinion is a kind of ironic if you look at how many companies paypal exchanges your data with (hint: 500+):
https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list -
I would be interested to know how you became aware that amazon remembers your password.
You said that you only noticed when you saw you were already logged in, but as you noted earlier, you can do that with cookies,no need for the password.
You also said you want cookies to remain as they are useful. I assume that's because they keep you logged in?
I'm not trying to be facetious, I am just having trouble seeing the problem.
Amazon are not my favourite company but I imagine as a big tech firm they probably are doing property password security. If you have proof of the opposite you should disclose it to them directly. Vivaldi can't do much about that.
-
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:
Here's what Vivaldi can tomorrow. When you select never save the password, Vivaldi could say:
I can't do that unless I (Vivaldi) block persistent cookies for that website. Do you want to never save the password and block persistent cookies for this site? Yes or no.I still don't think this is necessary. If you choose "Never save the password", Vivaldi does not save the password. Vivaldi is not lying. You're not being logged in to Amazon automatically; it's Amazon that remembers that you are logged in (not your password).
-
@derDay
I hate me for being off topic but your opinion is a kind of ironic if you look at how many companies paypal exchanges your data with (hint: 500+):
https://www.paypal.com/ie/webapps/mpp/ua/third-parties-listThanks. I never heard or thought of that. I like to be reminded how stupid and naive I can be. Of course, paypal would monetize that. But, I will still use paypal and trade-off credit card exposure versus privacy (which is lost by so many other things, not the least of which is Amazon.)
-
Komposten VIVALDI TRANSLATOR about 8 hours ago
@alowenst said in Amazon.com knows your password even when the browser hasn't stored the password:I still don't think this is necessary. If you choose "Never save the password", Vivaldi does not save the password. Vivaldi is not lying. You're not being logged in to Amazon automatically; it's Amazon that remembers that you are logged in (not your password).
Please correct if I'm wrong and putting words in your mouth. You think it is OK to offer a feature that says never save passwords when (a) you know it doesn't work sometimes, (b) you know when and why it doesn't work, (c) you know a major web site on which it doesn't work, (d) you don't think it's important to warn the user there may be a problem, and (e) Vivaldi provides several mechanism showing that Vivaldi hasn't save the password, but nevertheless the password has been saved.
Since I'm sure I'm mistaken and have misrepresented your view, please correct this response.
-
@alowenst The thing that we are trying to say is that a password isn't being saved. A logged in state is being stored in a cookie, but no password is being saved.
The
Never save passwords
option seems like it is working as it should based on what you said. With that option it should not be saving passwords in the internal password manager or asking you to save passwords.Providing a warning for Amazon specifically would not be beneficial because just about all websites will work the same way. There are some more sensitive websites that invalidate the cookie storing the logged in state after a short period of time, but most websites have much longer durations before the cookie is invalidated.
The only issue that looks to be in question here is the unchecking of the
keep me logged in
option on Amazon. If you have that unchecked and a restart of the browser doesn't invalidate your login, then that could be a bug.