Slashdot Mirror
Privacy Leak in Mozilla and Mozilla-Based Browsers
Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon.
The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."
...is that the bug has apparently been a known one for months, and still hasn't been repaired.
I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.
People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:
n lo ad", "noAccess");
:)
user_pref("capability.policy.default.Window.onu
You won't miss those ununload events anyway
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I very highly doubt that any site that I visit will be exploiting this bug. Who would waste the time to do this when only about 1% of their visitors will be susceptible to the user tracking. Yeah, I am concered about privacy, but is this really news? Thanks /. for keeping me informed.
I do everything in Mozilla in tabs. I open new sites in tabs, I'll even load other pages in tabs (middle click is your friend). As a result, they can't spy on me, because I don't go anywhere in that tab once I get there. If (and that might be a pretty big if) that is how you do your browsing, this bug isn't a big deal.
Bryan
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
Doing illegal things isn't the only way this could be a problem. For example, let's say I use the
Google Browser buttons after reading your web page to execute a search. I may not want you to know that after reading your web page I executed a search for "anonymous STD testing Chicago."
It's not "nasty" per se, but I sure don't need to broadcast that to the world.
At least for me. I tried the windows enigmail on 1.0a, 1.1a, and now 1.2a, and none of them work. GnuPG is installed in c:/gnupg where it belongs... I thought this shit was supposed to be seamless.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
.. how many people are saying "no big deal". If the article stated:
/. article and because I'm OS/Software egnostic, I tried Mozilla 1.0 which was a horrible product. I could repeatedly lock up the browser simply by going into the preferences. Maybe it's been fixed 1.0.1, but I'm not willing to waste my time, especially since IE runs just fine.
/. editors have taken.
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
Because of a
I have excellent Karma, so if you can't handle the truth, mod me down, I don't give a shit, I'm just sick of the "hippicratical oath"
Live web cams
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Of course, if you really wanted to do that then in most cases you'd just set up a bounce script on your server, much like freshmeat does, so that it would work on anyone.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Is that as breeches go it is a fairly minor one with a trivial work around, yet it remained confidential in bugzilla.
If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The YOU online updater in Yast has been set up to automatically download and install the patch for a coupla months now. Of course, it only applies to the default 0.98 Mozilla version included with the distro, but for those who haven't upgraded, it's there.
THE GOOD HUMOR MAN CAN ONLY BE PUSHED SO FAR
Bart Simpson on chalkboard in episode 2F18
Did your wife buy that excuse when you tried it on her?
Well, this just proves my point. Javascript should be disabled. (check my older posts, it's there somewhere).
Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.
It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.
So, check it out, and take back full control of your browser.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
The last few builds have introduced more bugs than ever. It seems to me that spangly new features are being introduced at the expense of the browser's stability and performance.
For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.
Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.
I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...
</rant>
Code, Hardware, stuff like that.
If you think that all that matters is whether the /. community things something is secure or not, then you are looking in the wrong place.
In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).
If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.
In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.
LedgerSMB: Open source Accounting/ERP
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Grandparent was talking about the CGI scripts used to track users who click an outward link on a web site. (Some Slashdot users abuse those scripts to create a link that appears to go to Yahoo! but really goes to Goatse.cx.) However, this bug in Mozilla gives a site's scripts access to a clicked bookmark or to a URL entered in the location bar.
Will I retire or break 10K?
This same post under an article that says "IE has a security leak" would be modded to -1. It IS a big deal. Especially, since it STILL hasn't been fixed. The responses would say, "This wouldn't happen under Open Source". Somebody would fix it." Well, it IS Open Source, and it still hasn't been fixed.
For this demonstration, the image loaded is really a script that sets a cookie with the request referer.
I just said "no" to the cookie dialog and that appears to have broken the example.
If you're going to raise a stink about your browser's security, why are you accepting any and all cookies?
I looked at my settings, and was amused to find that I had disabled javascript's ability to create/mess with cookies. I'm happy the Mozilla team partioned the javascript functionality like this, because (it appears anyway) that until a bug fix is available, you only have to disable this one aspect of javascript.
Without the Referer: how do they know where the links are coming from?
That's why GameFAQs.com allows linking only to HTML pages.
Exactly - a solution that doesn't involve Referrer.
If you care to follow that link...
Server side systems.
I don't know if something exists yet (if not, off to Apache module programming land for me), but the server should make sure that an IP has gotten an HTML page before it fetches an image or other large binary.
The referer: header is good for keeping people in sites, but there is no need for the system to keep track of people coming from other sites, and being to identify those sites.
-twb
But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.
Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.
It doesn't need to; it just needs to know whether the client is asking for .html or .htm .... right?
Honestly, this is a _NEWS_ site, not a list of programs you're supposed to use. So, there's some _good_ stuff out there about Mozilla, there's also some bad stuff.
Just be thankful it's open-source, because that means that there's a couple million people who can help fix it.
Karma: Non-Heinous
First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.
The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
Would you expect any different?
It's matter of micro-seconds and request timing.
Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.
Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!
Either that, or Opera.
I'd switch to Konqueror in a heartbeat if it supported a way to hand off the URL of a link to another program, though. I love Konqueror, but I love Downloader for X more.
Offtopic, but did are KDE developers going nuts on optimizations? Built 3.0.3 yesterday, and it just flies on my old K6-500.
We will not tolerate ourselves to look stupid while accusing other companies of leaving security holes for months, and then doing it ourselves. Do it again, and we will slashdot you again. And yes, we will defeat your referrer. Thank you, have a nice day. :)
Berto
NO.
The implementors of the demo were lazy (having no server-side scripting) and used a cookie to record the information leaked by onUnload. You are in no way protected by disabling cookies.
That just breaks the demo, the vulnerability is still there.
Black holes are where the Matrix raised SIGFPE
D'oh! yeah I did nknow this; just wasn't thinking. It still seems there should be a way to tell wihtout Referrer: since a single image requested by a user-agent that isn't requesting html files could be blocked. It's been a while since I messed with apache settings and I guess it shows; heh.
Comment removed based on user account deletion
How in the hell do you go from funny to offtopic, when the post is clearly related to the one that is funny?
Funny trumps off-topic. A post that's both funny and off-topic will be moderated as funny. A post that's merely off-topic-- without being funny-- will be moderated off-topic.
This should be obvious. Perhaps your trouble is that you're an idiot?
Any developer who puts the username and password in a URL should be shot. And any user who sees their password in the URL in plainsight and doesn't complain, or stop using the services, shouldn't be allowed near a computer to begin with.
See parent comment aboot Slashcode.
Heh. This post reminds me of the old Far Side cartoon. A caveman is trying to sell another caveman a car. In the background you see lots of Fred Flintstone-style caveman cars, each with square wheels. The car in the foreground has triangular wheels. The salesman is saying, "This new, improved model. Has one less bump."
Yeah, I'm off-topic. I'm way the fuck off-topic. I'm so off-topic, I'm not even going to mention the topic (although I could, just to stay topical). Mod me down if you want. I've got karma to burn, and I'm feeling grouchy and self-destructive.
I'd define the terms thus:
Privacy leak: lets someone else see what I'm doing or where I'm going. Does not let them see into my system.
Security exploit: lets someone else see the contents of my HD.
Severe security exploit: lets someone else *manipulate* the contents of my HD, pilfer my credit card number, or something else on that order.
~REZ~ #43301. Who'd fake being me anyway?
Conclusive proof! Making a disparaging comment about Mozilla-- or Linux, or Gnome, or KDE, or any of that shit-- is, prima facie, enough to get moderated down on Slashdot. Somebody threw this AC a downmod just because he said that one option-- and possibly the best one-- was not to use Mozilla.
I will mail one crisp new American dollar, postage paid, to the first person who moderates this comment down. Send your claim to foobar104@yahoo.com.
Nothing gets my goat more than having crappy software shoved down my throat with a "and you will like it" to wash it down.
I'm tons more willing to cut some slack to a free and open source project for a minor issue than to let off some corporation responsible for riddling my machine with security problems I can't uninstall-- and routinely refuses to fix ina timely manner.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
The poster asks:
> But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
And it is currently rated as "Score:5, Insightful".
I fear that Slashdot's moderation facility is being used by Microsoft as another FUD tool. While some posters try to moderate honestly, Microsoft astroturfers moderate each others' posts up, thus increasing their karma, and giving themselves more power to moderate.
There is no objective basis by which the above post could be considered "insightful".
In fact, the above post is completely stupid.
The post suggests there is something wrong when some IE vulnerabilities have been rated "Severe", while this Mozilla vulnerability is just rated as a "Privacy Leak".
Let's consider that.
Should this Mozilla problem be considered as "severe"? Hardly. As others have pointed out, providing the URL of the site you are going to is not that different from what all browsers have always done when they provide the URL of the site you came from. In fact, the problem is so minor that I am not even going to bother installing the fix until the next browser release comes out. When referring to this problem, the words "Privacy Leak" are, if anything, too strong.
On the other hand, let's consider some of the _19_ currently unpatched security holes in IE.
Here are some samples:
> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer
> Java XMLDSO base tag
> Description: Arbitrary local file reading.
> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.
> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach
> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.
Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Should any of those be considered "severe"? You betcha!
In fact, of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.
So clearly, the original poster is an idiot. Objectively, his post should be rated "Score:-1, Troll".
I would say that the posters who moderated his post up are even bigger idiots, but I don't believe that to be the case. Instead, I figure they're probably professional liars, being paid by Microsoft.
I find it unconscionable that such a gaping hole has been allowed to remain over a month... shame on the Mozilla team :(
many popular leech scripts allow you to set the referer for when you want to leech those cool apps.
If it wasn't for referer the revenue streams of many Internet companies would disappear. And not just annoying stuff like ads and pop-ups.
Knowledge of traffic patterns and their journey is an important part of knowing how to promote your site. You can work with your cross linked sites to best position those links. For us the referer field is just as important as our hit counts, if not more so.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Not just the refering host.
:]
I have, and never will have, any intention of mapping search terms to users but which search terms drive traffic to our site is a vital piece of information for us.
On a serious site search engine positioning is a daily job. Spending $50 on some shareware search engine submission program and running it they day you finish your web site just isn't enough.
The data we get from our refering page information is what helps us keep a top ten google psotion for our chosen key words.
I would guess that 90% of web design houses know next to nothing about web positioning. [which is great news for us
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Opera lets you turn off the referrer entirely. I always use that, for privacy reasons. Besides, it lets me use the Bugzilla links that people say are designed to be unaccessible from Slashdot :-).
What good is the referrer supposed to do, anyway? I always found it disturbing to be able to see in my logs which IMAP folders people use with their webmail.
In all honesty, I don't think we do. Our app is meant to be fairly modal; i.e., when a daughter window opens, the user is expected to deal with it, then close it, then go back to the main window. So we don't need to keep track of several open windows at once.
Sorry I couldn't help more.
The nice thing is that Mozilla has a workaround, one that basically kills of a whole potential series of exploits.
When you click on a broken link and get an "oops!" page, remember that HTTP_REFERER tells the site where you came from, so that the broken link can be fixed.
It's standard on many of my sites to do this - it's a very good thing IMHO - improving customer experience is good, and we certainly don't CARE who you are!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well, Privoxy looks like it'd be a lot of work to configure. On the other hand, it's got good pretty good docs, and working with it will probably teach you a lot about how http works in the real world. Which is actually the main reason I just downloaded it.
Be that as it may, there are times when I need to allow popups in order to get full use out of a site. What's needed is a simple popup policy engine, something like the cookies privacy engine in IE. In particular, I'd like to impose a global limit on popup frequency, so a site can't force me to accept all their crap just to get single popup window that I want to see. The simplistic "no popups" option in Mozilla is not useful for most of us.