MozillaZine

Mozilla Privacy Bug

Saturday September 14th, 2002

Yesterday, ZDNet UK News reported that Mozilla has a privacy flaw involving HTTP referers. The flaw can be exploited using the onUnload JavaScript handler, which is triggered when a visitor leaves a page (for example, by clicking a link or using a bookmark). The problem is that the referer Mozilla sends is the URL of the page that the visitor is going to, not the page that he or she is exiting. This means that a site can discover where you are heading when you leave.

The security bug is present in the latest versions of Mozilla (including 1.0.1, 1.1 and 1.2 Alpha) as well as some Mozilla-based browsers, such as Netscape 6.x, Netscape 7.0, Galeon 1.2.x and Chimera 0.5. At the time of writing, no fix is available. A workaround is to disable JavaScript (Edit > Preferences > Advanced > Scripts & Plugins).

A demonstration of the exploit has been created by security researcher Sven Neuhaus, who posted details of the vulnerability to Bugtraq on Wednesday.

The bug was filed in Bugzilla as bug 145579 on Sunday 19th May, with the more serious onUnload behaviour found on Friday 7th June. The report is currently marked as "Security-Sensitive" and access to it is restricted in line with the Mozilla Security Bugs Policy.

UPDATE! Bug 145579 has now been made public.

ANOTHER UPDATE! A fix has been checked in to the trunk. A patch for the 1.0 branch will follow shortly.

YET ANOTHER UPDATE! A patch has now been checked in to the 1.0 branch.


#62 re: Fix is out, but how do you implement it?

by GAThrawn

Thursday September 19th, 2002 10:30 AM

You are replying to this message

First of all the user.js file is stored in your profile directory.

Depending which version of Windows you're using this could be in a variety of places (I'm assuming you're using Windows):

Win95/98/Me your profile will be in either: C:\windows\profiles\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\ Or: C:\windows\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

WinNT4: C:\winnt\profiles\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

Win2000/WinXP: C:\Documents and Settings\[your ID]\Application Data\Mozilla\Profiles\[Your profile name, or default]\[random number].slt\

The bits in the square brackets ([]) will vary from PC to PC.

You can open the user.js file in Windows Notepad (make sure to close Mozilla first, including Quicklaunch if you use it). Then at the end of the file, on a blank line paste:

user_pref("capability.policy.default.Window.onunload", "noAccess");

Then save the file and restart Mozilla, and that particular JavaScript method will be safely disabled.