Mozilla Flaw Springs Privacy Leak

Researchers have found a flaw in Mozilla-based browsers that exposes the URL of the page a user is viewing to the Web server of the site visited last.
Posted September 16, 2002
By

Ryan Naraine

Ryan Naraine


Researchers have found a flaw in Mozilla-based browsers that springs data on the Web surfing movements of users.

Head researcher at Neopoly Sven Neuhaus said the bug, first discovered in May, is a serious privacy issue.

In a demonstration of the flaw, Neuhaus says it exposes the URL of the page a user is viewing to the Web server of the site visited last, allowing a Web site to track where a viewer goes next regardless of whether the URL is entered manually or via a bookmark.

"This bug is still present in the Mozilla 1.1 release... It's been three months," Neuhaus said in a plea for a fix on Bugzilla, the site used to track vulnerabilities in Mozilla releases.

It affects Mozilla browser versions 0.9x, 1.0, 1.0.1, 1.1 and 1.2 alpha; Netscape 6.x and 7; Galeon 1.2.x and Chimera 0.5.

Mozilla users are urged to disable JavaScript as a temporary workaround until a fix is issued. The flaw exists in the "onunload" handler which loads an image from the referring server about a user's surfing movements.

In addition to disabling JavaScript, users can avoid the bug by creating a file "user.js" in the profile folder (the one with the pref.js file) and put the following line in the file: user_pref("capability.policy.default.Window.onunload", "noAccess"); This stops the "onunload" handler from being activated.

Mozilla.org, the open source browser project backed by AOL Time Warner , just released the 1.1 upgrade to provide increased support for Linux and Mac platforms but the privacy flaw remains in the upgrade, Neuhaus said.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.