dcsimg

Mozilla Flaw Springs Privacy Leak

Researchers have found a flaw in Mozilla-based browsers that exposes the URL of the page a user is viewing to the Web server of the site visited last.

WEBINAR:

You Can't Detect What You Can't See: Illuminating the Entire Kill Chain


On-Demand Webinar

Posted September 16, 2002
By

Ryan Naraine

Ryan Naraine


Researchers have found a flaw in Mozilla-based browsers that springs data on the Web surfing movements of users.

Head researcher at Neopoly Sven Neuhaus said the bug, first discovered in May, is a serious privacy issue.

In a demonstration of the flaw, Neuhaus says it exposes the URL of the page a user is viewing to the Web server of the site visited last, allowing a Web site to track where a viewer goes next regardless of whether the URL is entered manually or via a bookmark.

"This bug is still present in the Mozilla 1.1 release... It's been three months," Neuhaus said in a plea for a fix on Bugzilla, the site used to track vulnerabilities in Mozilla releases.

It affects Mozilla browser versions 0.9x, 1.0, 1.0.1, 1.1 and 1.2 alpha; Netscape 6.x and 7; Galeon 1.2.x and Chimera 0.5.

Mozilla users are urged to disable JavaScript as a temporary workaround until a fix is issued. The flaw exists in the "onunload" handler which loads an image from the referring server about a user's surfing movements.

In addition to disabling JavaScript, users can avoid the bug by creating a file "user.js" in the profile folder (the one with the pref.js file) and put the following line in the file: user_pref("capability.policy.default.Window.onunload", "noAccess"); This stops the "onunload" handler from being activated.

Mozilla.org, the open source browser project backed by AOL Time Warner , just released the 1.1 upgrade to provide increased support for Linux and Mac platforms but the privacy flaw remains in the upgrade, Neuhaus said.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 

IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.