Peter Lairo wrote:
>
> Gervase Markham wrote:
>
> >> Mozilla goes through the effort of .slt'ing user profiles, yes?
> >> Do you know how easy it is, though, to just go to %temp% and see
> >> a list of emails you've sent? Why doesn't Mozilla destroy these
> >> copies when it's done with them? Is there a bug open for this?
> >>
> >
> > Search Bugzilla :-) And ask in n.p.m.security.
> >
> > Gerv
> >
> That actually seems like an important question that shouldn't be brushed
> off so lightly to someone who is helpful enough to point it out here,
> but might not post it in security (I too do not subscribe to
> n.p.m.security).
>
>
Yeah, and the thing that bothers me is that Mozilla doesn't (yet)
destroy ANY temp files. If you view a zip file from a website, I'd
assume that when you close the app it should destroy the files it
temporarily saved. Especially emails. Emails shouldn't be saved until
closing, they should be purged after sending. I look now and I have
nsmail-1.eml and nscopy-1.tmp through -8. -x.eml and -x.tmp are the
same files (the .tmp has a few more lines of headers). These should not
be here. No one can find my profiles\mail folder due to it being
demon-lag\8randomalphanumeric character.3randomalphanumeric
character\mail, but it's very simple to navigate to %temp% and now
someone has all my outgoing emails since i've manually emptied my temp
folder. I think this is a serious security concern
