Slashdot Mirror
Privacy Leak in Mozilla and Mozilla-Based Browsers
Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon.
The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."
...is that the bug has apparently been a known one for months, and still hasn't been repaired.
I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.
I very highly doubt that any site that I visit will be exploiting this bug. Who would waste the time to do this when only about 1% of their visitors will be susceptible to the user tracking. Yeah, I am concered about privacy, but is this really news? Thanks /. for keeping me informed.
I do everything in Mozilla in tabs. I open new sites in tabs, I'll even load other pages in tabs (middle click is your friend). As a result, they can't spy on me, because I don't go anywhere in that tab once I get there. If (and that might be a pretty big if) that is how you do your browsing, this bug isn't a big deal.
Bryan
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
This workaround will only disable one of the ways the bug can be exploited (albeit the easier way to exploit it). Based on my reading of the bug, it can also be exploited through timeouts, although methods for doing so are probably less reliable.
It's not a bug.
/. at 0 or -1, you'll still see some of them.
This was the solution to a hack, actually (IIRC). The Page Widening Trolls (TM) like to make a string of text thousands of characters long so there's a real nasty side-scroll. By adding in that space every X nuber of characters, it becaome imposible for the trolls to make the window side scroll.
Browse
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
The last few builds have introduced more bugs than ever. It seems to me that spangly new features are being introduced at the expense of the browser's stability and performance.
For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.
Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.
I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...
</rant>
Code, Hardware, stuff like that.
For this demonstration, the image loaded is really a script that sets a cookie with the request referer.
I just said "no" to the cookie dialog and that appears to have broken the example.
If you're going to raise a stink about your browser's security, why are you accepting any and all cookies?
After testing the bug site listed, it looks like this privacy leak doesn't actually follow you around, but, only reports the NEXT PAGE you look at.
:), you would need a bunch of websites to be running this exploit and sharing data to get much info out of it.
I jumped around to various pages, and, it only recorded the mozilla.org link. AFAIK, you only get the very next page linked from the exploiting referrer.
So, unless slashdot is a participant in this scheme
Severity = TAFNAB
The workaround is to disable the onunload handler. This is the kind of workaround that breaks legitimate applications.
First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.
The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
Would you expect any different?
It's matter of micro-seconds and request timing.
Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.
Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!
Perhaps my lack of knowledge of JavaScript, but what exactly constitutes a legitimate use of onUnLoad?
I'll give you one example. My company sells software with web front-end interfaces. One of the techniques we use is implementing a close-to-log-out feature. In other words, when you close the main app window, a handler fires that closes all daughter windows of the main app window and ends the user's session. That depends on onunload().
We also use onunload() to make sure the application doesn't get confused if a user closes a window on which the application depends. When the users closes a window-- an alert dialog, say-- the onunload() handler checks to make sure that everything is as it should be. If it isn't, an error condition is established. Without onunload(), our application would be much less reliable in those kinds of situations.
It isn't "Open Source's" fault. Slashdot is to blame. They are just extremely biased toward open source.
Slashdot really sucks nowadays. There are better alternatives. Check out
Quit Slashdot Movement.
Well, for your UI issues you might have tried Chimera on your Mac. Galeon on a Linux box is slick and without a doubt the best browser I have ever used.
I have not found OmniWeb to be faster than Mozilla on the ibook, but it sounds like you have an issue with RAM and that is not really an issue in our house.
Okay, I am not a great fan of the Mozilla Navigator's prefs menu, but once you learn it and set your prefs you can mostly forget about it. And about creating a user.js file, it's not that difficult, and once you do it you'll have a better browsing experience with little hassle. I love having a config file that I can just backup and drop in a new installation. What's so upsetting about a config file? With a sane file manager and a text editor it's trivial.
What about the positives of Mozilla? Tabbed browsing? No pop-ups? Pipelining? Are you saying nothing about Mozilla interested you?