Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Leak in Mozilla and Mozilla-Based Browsers

Posted by timothy on from the where-are-you-going-where-have-you-been dept.

Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon. The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."

34 of 357 comments (clear)

  1. The most disturbing thing about this... by Corvaith · · Score: 5, Interesting

    ...is that the bug has apparently been a known one for months, and still hasn't been repaired.

    I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.

    1. Re:The most disturbing thing about this... by jmcnamera · · Score: 4, Insightful

      If this bug has really been known for months, are we hypocritical to bash others (always MS) for late fixes?

      Bugs should be publicized immediately so fixes will happen sooner. It's good to first inform those who are responsible for the code so they can have a heads up, but months (if true here) is too long to wait.

      --
      this is not a sig
    2. Re:The most disturbing thing about this... by Anonymous Coward · · Score: 5, Insightful

      > This just troubles me greatly.

      Fine, this is not how you'd expect it to work.

      But, GIVE ME A BREAK. Privacy issues on the Web are legend. Cookies, refer, hidden fields, the entire body of software we know as "IE", the list goes on and on and on.

      So, by some new "stupid browser trick" you can now see where people are going -- not just where they've come from (as has always, forever, been the case).

      Oh my.

      If you are worried about "privacy" then you have been using an appropriate "junk busting" proxy from day one.

      If you are not using such a proxy, then you are not now, and never have been, seriously worried about privacy. And, this "horror of horrors" is no more an issue to anyone than the Referrer field.

      This sounds more like Microsoft Marketing pouring though a Bug Base and using the media to turn a mole hill into a mountain.

      Should it be fixed? Yea. So should Referrer be removed from existence. So should alot of much more pressing privacy issues be outright abolished.

      So go back to sleep. If you weren't worried about this yesterday, then there is no reason for you to be worried about it today.

    3. Re:The most disturbing thing about this... by cpeterso · · Score: 4, Funny


      Mozilla is open source. Why haven't YOU fixed this bug yet?

      --
      cpeterso
  2. Dear Slashdot morons by rebrane · · Score: 5, Interesting

    Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.

    1. Re:Dear Slashdot morons by Neon+Spiral+Injector · · Score: 5, Funny

      Have they also disabled people leaving Bugzilla to go to Slashdot? Okay, I know that was bad.

  3. Easy work-around for now by RPoet · · Score: 5, Informative

    People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:

    user_pref("capability.policy.default.Window.onun lo ad", "noAccess");

    You won't miss those ununload events anyway :)

    --
    "Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
    1. Re:Easy work-around for now by dbaron · · Score: 3, Interesting

      This workaround will only disable one of the ways the bug can be exploited (albeit the easier way to exploit it). Based on my reading of the bug, it can also be exploited through timeouts, although methods for doing so are probably less reliable.

    2. Re:Easy work-around for now by bcrowell · · Score: 3, Informative

      Where is your user.js file supposed to be (on Linux)? Slocate tells me I don't have one. Should I create one somewhere with only this line in it?

      --
      Find free books.
    3. Re:Easy work-around for now by xanadu-xtroot.com · · Score: 3, Interesting

      It's not a bug.

      This was the solution to a hack, actually (IIRC). The Page Widening Trolls (TM) like to make a string of text thousands of characters long so there's a real nasty side-scroll. By adding in that space every X nuber of characters, it becaome imposible for the trolls to make the window side scroll.

      Browse /. at 0 or -1, you'll still see some of them.

      --
      I'm not a prophet or a stone-age man,
      I'm just a mortal with potential of a super man.
    4. Re:Easy work-around for now by maw · · Score: 4, Informative

      You should have a file called prefs.js somewhere within your $HOME/.mozilla directory. You can set user_prefs there.

      --
      You're a suburbanite.
    5. Re:Easy work-around for now by teslatug · · Score: 4, Informative

      better not to set them in prefs.js ,but in user.js (create new file if not there) as the settings in the prefs.js file might get overwritten

    6. Re:Easy work-around for now by superpeach · · Score: 3, Informative

      Yes, create one
      If you just use mozilla as it is then you create your user.js in ~/.mozilla/[your_username]/[some random directory name]/user.js - the path up to user.js should exist already if you have used mozilla, and hopefully only 1 with a wierd random name :)
      If you use galeon, then it goes in ~/.galeon/mozilla/galeon/user.js

  4. No Big Deal by md17 · · Score: 3, Interesting

    I very highly doubt that any site that I visit will be exploiting this bug. Who would waste the time to do this when only about 1% of their visitors will be susceptible to the user tracking. Yeah, I am concered about privacy, but is this really news? Thanks /. for keeping me informed.

  5. HTTP_REFERER by nick_davison · · Score: 5, Interesting
    The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field.

    It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.

    From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.

    1. Re:HTTP_REFERER by singularity · · Score: 4, Informative

      As with a lot of browser-based things that show up on Slashdot, I feel the need to chime in with a different perspective, from a browser that does a lot of these things correctly.

      iCab, on the Mac, has a setting (and has had it almost since its very first versions) to only allow the Referrer: to be sent only when in the same domain (or even never sent). So Sony.com can trace how I look through their site, but cannot see that I came to Sony's site from a link on slashdot.org

      I could even set it to never send it, as well.

      --
      - (c) 2018 Hank Zimmerman
  6. Re:Yawn. by agentZ · · Score: 3, Insightful

    Doing illegal things isn't the only way this could be a problem. For example, let's say I use the
    Google Browser buttons after reading your web page to execute a search. I may not want you to know that after reading your web page I executed a search for "anonymous STD testing Chicago."

    It's not "nasty" per se, but I sure don't need to broadcast that to the world.

  7. The problem with this bug by Chuck+Chunder · · Score: 4, Insightful

    Is that as breeches go it is a fairly minor one with a trivial work around, yet it remained confidential in bugzilla.
    If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
    1. Re:The problem with this bug by Wumpus · · Score: 3, Interesting

      The workaround is to disable the onunload handler. This is the kind of workaround that breaks legitimate applications.

    2. Re:The problem with this bug by jesser · · Score: 4, Insightful

      If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.

      The bug was public for two months before it was marked as security-sensitive. There isn't an army of coders who spend all of their time fixing known minor privacy bugs. The bug had the "privacy" keyword for almost two months before it was marked as security-sensitive, so it would not have been invisible to such an army.

      I'm not saying it was a good idea to make it security-sensitive after it was open for a while. It wasn't a good idea in this case, because someone who had seen the bug while it was public decided to make it public again. I'm just saying that leaving it open probably would not have led someone to fix it immediately.

      --
      The shareholder is always right.
    3. Re:The problem with this bug by foobar104 · · Score: 5, Interesting

      Perhaps my lack of knowledge of JavaScript, but what exactly constitutes a legitimate use of onUnLoad?

      I'll give you one example. My company sells software with web front-end interfaces. One of the techniques we use is implementing a close-to-log-out feature. In other words, when you close the main app window, a handler fires that closes all daughter windows of the main app window and ends the user's session. That depends on onunload().

      We also use onunload() to make sure the application doesn't get confused if a user closes a window on which the application depends. When the users closes a window-- an alert dialog, say-- the onunload() handler checks to make sure that everything is as it should be. If it isn't, an error condition is established. Without onunload(), our application would be much less reliable in those kinds of situations.

    4. Re:The problem with this bug by foobar104 · · Score: 4, Insightful

      Myself, I prefer to rely on the user closing their session(s) properly....

      I mean no offense, but that's a terrible idea. I say that only because we had a pretty serious debate-- okay, shouting match-- about this in a team meeting about a year ago. On the one hand, there were us-- the managers-- saying that the software had to be resilient in the face of inconsistent or wrong user input. On the other, we had the engineers who said things like, "Browsers just don't work that way," and "Of course it's going to break if you do something stupid," and "We have to rely on the user closing their session properly." The bottom line is this: users don't do what you tell them. If you tell them not to close the window, they'll close it anyway. Your app has to be able to deal with things like that, just as it has to deal with "no such file or directory" or "out of memory." Without onunload(), it'd be impossible to write a non-trivial, resilient web application.

      Okay, end of rant. ;-)

    5. Re:The problem with this bug by Idaho · · Score: 4, Insightful

      The workaround is to disable the onunload handler. This is the kind of workaround that breaks legitimate applications.

      Are you going to tell me there actually are legitimate uses for unonload!?

      I use the internet since 1996 and have yet to come across the first site that uses this 'feature' *cough* in a usefull, non-irritating manner (i.e. something else then opening a bazillion new popups as soon as you close the previous one)

      I can not imagine why onunload exists in the first place - 2nd, I can not imagine why people would ever leave it on if they can turn it off.

      But maybe that's just because my imagination is so limited :)

      --
      Every expression is true, for a given value of 'true'
  8. Re:Yawn. by jnana · · Score: 3, Funny

    Did your wife buy that excuse when you tried it on her?

  9. Muwahahaha by evilviper · · Score: 4, Informative

    Well, this just proves my point. Javascript should be disabled. (check my older posts, it's there somewhere).

    Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.

    It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.

    So, check it out, and take back full control of your browser.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  10. Not to knock Mozilla but... by FyRE666 · · Score: 3, Interesting

    The last few builds have introduced more bugs than ever. It seems to me that spangly new features are being introduced at the expense of the browser's stability and performance.

    For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.

    Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.

    I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...

    </rant>

    --
    Code, Hardware, stuff like that.
  11. My advice-- by einhverfr · · Score: 3, Insightful

    If you think that all that matters is whether the /. community things something is secure or not, then you are looking in the wrong place.

    In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).

    If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.

    In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.

    --

    LedgerSMB: Open source Accounting/ERP
  12. Re:I can't get the demo to work... by superpeach · · Score: 3, Informative

    The bug has nothing to do with cookies, the cookie is just so that the demo site can tell you where you went after visiting there. The problem is with the window.onunload javascript function - so either that needs to be disables, or all of javascript (the instructions are on the demo page for how to only disable onunload). All that stopping javascript playing with cookies will do is stop the demo from being able to tell you where you went, the server operators can still find out if they wanted.

  13. I hate to defend Microsoft... by coene · · Score: 4, Insightful

    But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...

    George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.

    Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.

    1. Re:I hate to defend Microsoft... by brettlbecker · · Score: 3, Insightful

      There is a bit of a difference between allowing a server to track your next site from their own site and a hole in IE allowing a hacker to enter and exploit your system, or a hole in OE that allows viruses to propgate, using your machine like a 2-dollar whore. You're right on two points-- it is still privacy. But there is a distinct difference between someone watching you to see where you live and the act of breaking in to your home to steal your underwear. And yes, open source software needs to be just as accountable. And I'm sure they will be... they'll fix this problem. Whatever the semantics, it is still a problem and it will still be fixed.

      --
      "We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
  14. bug? by bilbobuggins · · Score: 4, Interesting
    I don't understand how this is a 'bug'.

    First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.

    The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
    Would you expect any different?
    It's matter of micro-seconds and request timing.
    Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.

    Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!

  15. Re:Easy Fix! by moogla · · Score: 3, Insightful

    NO.

    The implementors of the demo were lazy (having no server-side scripting) and used a cookie to record the information leaked by onUnload. You are in no way protected by disabling cookies.

    That just breaks the demo, the vulnerability is still there.

    --
    Black holes are where the Matrix raised SIGFPE
  16. Re:cookie, cookie, cookie by lamp77 · · Score: 3, Informative

    Dude, the first line reads

    For this demonstration, you need to enable cookies. The bug itself does not require cookies to be enabled, however.

    I think that explains the situration pretty clearly.

  17. Re:I'm surprised.. by robson · · Score: 3, Insightful

    Mozilla would have been great if it had been called Netscape 5.0 and released in early 1998. Since this is 2002 and the world has moved on, Mozilla sucks pretty hard.

    Since you sound like an otherwise reasonable person, I can't help but think that you simply haven't given Mozilla a chance. Having used all of the major browsers available, I prefer Mozilla. Not because it's open-source, not because it's an underdog, but because I like it. If you'd said, "Mozilla doesn't offer enough for me to switch," that would've made sense; however, I can't see how anyone who'd used Mozilla (1.0+) could think it "sucks pretty hard."