Mozilla Privacy Bug

Saturday September 14th, 2002

Yesterday, ZDNet UK News reported that Mozilla has a privacy flaw involving HTTP referers. The flaw can be exploited using the onUnload JavaScript handler, which is triggered when a visitor leaves a page (for example, by clicking a link or using a bookmark). The problem is that the referer Mozilla sends is the URL of the page that the visitor is going to, not the page that he or she is exiting. This means that a site can discover where you are heading when you leave.

The security bug is present in the latest versions of Mozilla (including 1.0.1, 1.1 and 1.2 Alpha) as well as some Mozilla-based browsers, such as Netscape 6.x, Netscape 7.0, Galeon 1.2.x and Chimera 0.5. At the time of writing, no fix is available. A workaround is to disable JavaScript (Edit > Preferences > Advanced > Scripts & Plugins).

A demonstration of the exploit has been created by security researcher Sven Neuhaus, who posted details of the vulnerability to Bugtraq on Wednesday.

The bug was filed in Bugzilla as bug 145579 on Sunday 19th May, with the more serious onUnload behaviour found on Friday 7th June. The report is currently marked as "Security-Sensitive" and access to it is restricted in line with the Mozilla Security Bugs Policy.

UPDATE! Bug 145579 has now been made public.

ANOTHER UPDATE! A fix has been checked in to the trunk. A patch for the 1.0 branch will follow shortly.

YET ANOTHER UPDATE! A patch has now been checked in to the 1.0 branch.

#61 Re: Track Record

by kristen

Thursday September 19th, 2002 5:28 AM

You are replying to this message

"Actually, that is quite a track record."

It is quite a track record alright. Quite a meaningless and irrelevant one. If you regard you and your 'thousands of users' web browsing in a < 1% browser in an IE world without recourse as any sort of proof that the browser itself is secure, then you better guess again. Your entire logic behind that is broken and flawed. Which brings me to a question. A question that some of the fine folks here at Mozillazine often like to throw in the face of an IE user. A question that I am going to love to ask right now. How do you know you were never compromised? Of the thousands of Mozilla users of whoms web browsing you have intimate knowledge of, how do any of them know? Just between Mozilla 1.0 and 1.0.1 there were 25+ security fixes. How do you know that no one has succumbed to any of those? Those were rhetorical questions, of course. The fact is that you don't know.

"Sorry - you're just plain wrong. If software can be exploited, it will be exploited."

I'm going to give you the opportunity to think about what you just said before I rip it to pieces. Take a few deep breaths.... and think for a moment. Think hard if you have to.

"Maybe you should work in the real world with actual browsers in actual use. Then you can tell me about real-world comparisons, not what you think based on only your experience."

This really applies to you more than anyone else. While I don't claim to have personally interviewed ten million web surfers or examined the sourced code to 2 billion web pages, between work and personal life, my experience is quite firmly grounded in the real world. In fact, I believe it is the other way around in regards to what you said. I think it is you who needs to get out in the real world. I think it is you who needs to get out in the real world because when I see someone, anyone, speaking on the behalf of experiences from thousands of users, hackers, etc... I know they are about as full of poop as a christmas goose.