Linc Davis wrote:
It's not a security flaw. Anyone who can access your account has all your data, including your browsing history, your bookmarks, and your saved passwords. That's the intended behavior. The countermeasures provided are screen locking and encryption. If you don't use those countermeasures, your data is unsafe.
On the contrary, this is indeed a security flaw. It is not a failure of the technology, but rather of the design.
Access to "browsing history" is not a big deal. It may be a privacy concern, but no web content is contained there. Bookmarks are the same deal, just links. And most folks likely do not use an autofil password for their banking information (and even if you did, you'd have to go out of your way to enable that). My bank (and every other that I've seen) does not provide the ability through their site to autofill passwords or keep you logged in. In fact, most log you out after a given time.
"Encryption", as you suggest, doesn't solve the problem, as this is not an issue of data interception between client and host. And "screen locking" is not enabled by default. In fact, even if it was, you'd still have to manually lock the screen each time you got up to be safe, as the auto locking wouldn't kick in for a few minutes.
Ok guys, before anyone else wastes their time explaining to me the thousands of different ways to work around this issue, let me clarify the point here:
Good security practices should include measures and systems that are "fail-secure", by default. In other words, if a website has measures to automatically log you out upon timeout for security reasons, the browser should not permit an easily and quickly accessible means of circumventing that security feature and displaying your recently accessed data.
In other words, when your grandma sits down to view her banking info, and she logs out of her bank site when she's finished (thinking she has now securly logged off), it shouldn't be possible for someone to slip up behind her and capture the last displayed (sensitive) data within 10 seconds.
Suggestions requiring further knowledge or preemptive (and less-than-obvious) steps by all end users to prevent this are not reasonable, or a practical solution.