Mozilla Privacy Bug

Saturday September 14th, 2002

Yesterday, ZDNet UK News reported that Mozilla has a privacy flaw involving HTTP referers. The flaw can be exploited using the onUnload JavaScript handler, which is triggered when a visitor leaves a page (for example, by clicking a link or using a bookmark). The problem is that the referer Mozilla sends is the URL of the page that the visitor is going to, not the page that he or she is exiting. This means that a site can discover where you are heading when you leave.

The security bug is present in the latest versions of Mozilla (including 1.0.1, 1.1 and 1.2 Alpha) as well as some Mozilla-based browsers, such as Netscape 6.x, Netscape 7.0, Galeon 1.2.x and Chimera 0.5. At the time of writing, no fix is available. A workaround is to disable JavaScript (Edit > Preferences > Advanced > Scripts & Plugins).

A demonstration of the exploit has been created by security researcher Sven Neuhaus, who posted details of the vulnerability to Bugtraq on Wednesday.

The bug was filed in Bugzilla as bug 145579 on Sunday 19th May, with the more serious onUnload behaviour found on Friday 7th June. The report is currently marked as "Security-Sensitive" and access to it is restricted in line with the Mozilla Security Bugs Policy.

UPDATE! Bug 145579 has now been made public.

ANOTHER UPDATE! A fix has been checked in to the trunk. A patch for the 1.0 branch will follow shortly.

YET ANOTHER UPDATE! A patch has now been checked in to the 1.0 branch.

#56 Track Record

by amutch

Wednesday September 18th, 2002 12:15 PM

You are replying to this message

"Wow, what a track record. I could just as easily say the same thing with regards to IE, except I've been using it for much longer than 1 1/2 years."

Actually, that is quite a track record. It doesn't have anything to do with time, it has to do with use. These PCs are used by thousands of users per year. You may have been using IE for longer than 1.5 years but you haven't been using the same version, I bet. Comparing your use since you used IE 3 to using IE 6 (or whatever version you are using) doesn't provide much useful information for a comparison.

"Where the hell is your head? No kidding! I wouldn't expect a browser with such miniscule usage status to be the target of any evil freak that druels over the thought of creating headaches for the masses."

Sorry - you're just plain wrong. If software can be exploited, it will be exploited. It has nothing to do with how many people use it every day. I've seen people try to hack the Mozilla-based browser without success. I've seen sites try to exploit the Mozilla-based browser without success. On the other hand, IE regularly allows sites to do all kinds of things that no good browser should allow.

"I just did earlier. I'm no expert, I'm just a user, and so far you have done a lousy job of convincing me that Mozilla has any sort of track record worth boasting about."

Maybe you should work in the real world with actual browsers in actual use. Then you can tell me about real-world comparisons, not what you think based on only your experience.