Privacy Leak in Mozilla and Mozilla-Based Browsers

Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon. The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."

Yawn.

[Fished]

Should it be fixed? Yes. Is it a big deal? Not unless you're doing something nasty. Bottom line is that I don't really care who knows what websites I go to, because I keep my web accesses legitimate and vanilla. Who's got time to crack, pr0n, or spod when trying to raise a family? Geesh.

Re:Yawn.

[agentZ]

Doing illegal things isn't the only way this could be a problem. For example, let's say I use the
Google Browser buttons after reading your web page to execute a search. I may not want you to know that after reading your web page I executed a search for "anonymous STD testing Chicago."

It's not "nasty" per se, but I sure don't need to broadcast that to the world.

Re:The most disturbing thing about this...

[jmcnamera]

If this bug has really been known for months, are we hypocritical to bash others (always MS) for late fixes?

Bugs should be publicized immediately so fixes will happen sooner. It's good to first inform those who are responsible for the code so they can have a heads up, but months (if true here) is too long to wait.

I'm surprised..

[Frank+of+Earth]

.. how many people are saying "no big deal". If the article stated:

"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"

you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.

Because of a /. article and because I'm OS/Software egnostic, I tried Mozilla 1.0 which was a horrible product. I could repeatedly lock up the browser simply by going into the preferences. Maybe it's been fixed 1.0.1, but I'm not willing to waste my time, especially since IE runs just fine.

I have excellent Karma, so if you can't handle the truth, mod me down, I don't give a shit, I'm just sick of the "hippicratical oath" /. editors have taken.

Re:I'm surprised..

[robson]

Mozilla would have been great if it had been called Netscape 5.0 and released in early 1998. Since this is 2002 and the world has moved on, Mozilla sucks pretty hard.

Since you sound like an otherwise reasonable person, I can't help but think that you simply haven't given Mozilla a chance. Having used all of the major browsers available, I prefer Mozilla. Not because it's open-source, not because it's an underdog, but because I like it. If you'd said, "Mozilla doesn't offer enough for me to switch," that would've made sense; however, I can't see how anyone who'd used Mozilla (1.0+) could think it "sucks pretty hard."

Re:The most disturbing thing about this...

> This just troubles me greatly.

Fine, this is not how you'd expect it to work.

But, GIVE ME A BREAK. Privacy issues on the Web are legend. Cookies, refer, hidden fields, the entire body of software we know as "IE", the list goes on and on and on.

So, by some new "stupid browser trick" you can now see where people are going -- not just where they've come from (as has always, forever, been the case).

Oh my.

If you are worried about "privacy" then you have been using an appropriate "junk busting" proxy from day one.

If you are not using such a proxy, then you are not now, and never have been, seriously worried about privacy. And, this "horror of horrors" is no more an issue to anyone than the Referrer field.

This sounds more like Microsoft Marketing pouring though a Bug Base and using the media to turn a mole hill into a mountain.

Should it be fixed? Yea. So should Referrer be removed from existence. So should alot of much more pressing privacy issues be outright abolished.

So go back to sleep. If you weren't worried about this yesterday, then there is no reason for you to be worried about it today.

The problem with this bug

[Chuck+Chunder]

Is that as breeches go it is a fairly minor one with a trivial work around, yet it remained confidential in bugzilla.
If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.

Re:The problem with this bug

[jesser]

If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.

The bug was public for two months before it was marked as security-sensitive. There isn't an army of coders who spend all of their time fixing known minor privacy bugs. The bug had the "privacy" keyword for almost two months before it was marked as security-sensitive, so it would not have been invisible to such an army.

I'm not saying it was a good idea to make it security-sensitive after it was open for a while. It wasn't a good idea in this case, because someone who had seen the bug while it was public decided to make it public again. I'm just saying that leaving it open probably would not have led someone to fix it immediately.

Re:The problem with this bug

[foobar104]

Myself, I prefer to rely on the user closing their session(s) properly....

I mean no offense, but that's a terrible idea. I say that only because we had a pretty serious debate-- okay, shouting match-- about this in a team meeting about a year ago. On the one hand, there were us-- the managers-- saying that the software had to be resilient in the face of inconsistent or wrong user input. On the other, we had the engineers who said things like, "Browsers just don't work that way," and "Of course it's going to break if you do something stupid," and "We have to rely on the user closing their session properly." The bottom line is this: users don't do what you tell them. If you tell them not to close the window, they'll close it anyway. Your app has to be able to deal with things like that, just as it has to deal with "no such file or directory" or "out of memory." Without onunload(), it'd be impossible to write a non-trivial, resilient web application.

Okay, end of rant. ;-)

Re:The problem with this bug

[Idaho]

The workaround is to disable the onunload handler. This is the kind of workaround that breaks legitimate applications.

Are you going to tell me there actually are legitimate uses for unonload!?

I use the internet since 1996 and have yet to come across the first site that uses this 'feature' *cough* in a usefull, non-irritating manner (i.e. something else then opening a bazillion new popups as soon as you close the previous one)

I can not imagine why onunload exists in the first place - 2nd, I can not imagine why people would ever leave it on if they can turn it off.

But maybe that's just because my imagination is so limited :)

My advice--

[einhverfr]

If you think that all that matters is whether the /. community things something is secure or not, then you are looking in the wrong place.

In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).

If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.

In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.

Re:The most disturbing thing about this...

[minaguib]

Any developer who puts the username and password in a URL should be shot. And any user who sees their password in the URL in plainsight and doesn't complain, or stop using the services, shouldn't be allowed near a computer to begin with.

Re:The most disturbing thing about this...

[SN74S181]

Usernames and passwords to web sites can be embedded into the URL, and encrypted. This still allows anybody who grabs the URL to get onto a 'secured' page on said website. The BDSM Web Site alt.com uses such a mechanism, and is full of people with all sorts of kinky interests, including 'vulnerable' sexual submissives. The alt.com chatroom uses URL-based 'passwords.' For whatever reason they prefer that to a cookie-based security scheme.

I hate to defend Microsoft...

[coene]

But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...

George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.

Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.

Re:I hate to defend Microsoft...

[brettlbecker]

There is a bit of a difference between allowing a server to track your next site from their own site and a hole in IE allowing a hacker to enter and exploit your system, or a hole in OE that allows viruses to propgate, using your machine like a 2-dollar whore. You're right on two points-- it is still privacy. But there is a distinct difference between someone watching you to see where you live and the act of breaking in to your home to steal your underwear. And yes, open source software needs to be just as accountable. And I'm sure they will be... they'll fix this problem. Whatever the semantics, it is still a problem and it will still be fixed.

Re:Easy Fix!

[moogla]

NO.

The implementors of the demo were lazy (having no server-side scripting) and used a cookie to record the information leaked by onUnload. You are in no way protected by disabling cookies.

That just breaks the demo, the vulnerability is still there.

Re:The most disturbing thing about this...

[Izeickl]

This is his point, open source is praised because anyone can view the source code and fix anything thats broken...you just proved how untrue this is in reality.

Re:The most disturbing thing about this...

[prgammans]

Open source allows anyone to fix a problem. Though the amount of time and effort that it will take you to do the fix is something which you have to way against the size of the problem.

Closed source you can't fix it no matter how big a problem it is.

I.e. what is the cost of the problem, would it cost you more to fix it than living with it.