Enabling “Continue where you left off” is caching login credentials even if site preferences are set to not save usernames/passwords.
Specifically, this is happening with our Bank’s website. With this option enabled, closing the browser window by either quitting or rebooting does not clear the login credentials/tokens and upon relaunch of the browser, it automatically navigates to the site AND logs in.
We have not tested this with other bank websites but can repeat the behavior with our bank’s website. This issue does not present with Safari, Chrome, MS Edge or Firefox.
To reproduce the glitch, all we have to do is have the option to “continue where you left off” enabled, log into the website and then quit the browser. Upon relaunch, it opens the webpage and logs in.
The settings for saving usernames/passwords is disabled. Shields are disabled and clearing the history resolves the issue only until the next time it is cleared. By selecting “Open the new tab page” option, this behavior ceases.
Yes, an easy “solution” is to keep the browser set to “new tab” on startup, however the issue of login tokens being somehow cached even when it is set to prohibit saving passwords presents a security risk. While this might only be happening with one website (so far), that it is happening at all seems to contradict the security protocol of not saving passwords.
If another user has access to the PC/Mac and sets the browser preferences back to “continue” before someone keys in a username/password, the browsing history provides access to the protected account. We are able to repeat this behavior.
This happens on both Mac (Catalina) as well as PC (Windows 10) — and again, this is repeatable by simply changing the “on startup” setting.
This issue has not been tested on any other platforms. Both desktop devices are running the latest version of Brave (Version 1.20.108 Chromium: 88.0.4324.182)
Our expectation is that once the “save password” option is disabled, that closing/quitting the browser would clear all or a portion of the login credentials/tokens making it necessary to retype them for access to that specific account.
Any insight is welcome. Maybe this is user error. Thank you.