Privacy Leak in Mozilla and Mozilla-Based Browsers

← Back to Stories (view on slashdot.org)

Privacy Leak in Mozilla and Mozilla-Based Browsers

Posted by timothy on Sunday September 15, 2002 @12:27PM from the where-are-you-going-where-have-you-been dept.

Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon. The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."

7 of 357 comments (clear)

The most disturbing thing about this... by Corvaith · 2002-09-15 12:30 · Score: 5, Interesting

...is that the bug has apparently been a known one for months, and still hasn't been repaired.

I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
1. Re:The most disturbing thing about this... by Anonymous Coward · 2002-09-15 12:52 · Score: 5, Insightful
  
  > This just troubles me greatly.
  
  Fine, this is not how you'd expect it to work.
  
  But, GIVE ME A BREAK. Privacy issues on the Web are legend. Cookies, refer, hidden fields, the entire body of software we know as "IE", the list goes on and on and on.
  
  So, by some new "stupid browser trick" you can now see where people are going -- not just where they've come from (as has always, forever, been the case).
  
  Oh my.
  
  If you are worried about "privacy" then you have been using an appropriate "junk busting" proxy from day one.
  
  If you are not using such a proxy, then you are not now, and never have been, seriously worried about privacy. And, this "horror of horrors" is no more an issue to anyone than the Referrer field.
  
  This sounds more like Microsoft Marketing pouring though a Bug Base and using the media to turn a mole hill into a mountain.
  
  Should it be fixed? Yea. So should Referrer be removed from existence. So should alot of much more pressing privacy issues be outright abolished.
  
  So go back to sleep. If you weren't worried about this yesterday, then there is no reason for you to be worried about it today.
Dear Slashdot morons by rebrane · 2002-09-15 12:31 · Score: 5, Interesting

Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.
1. Re:Dear Slashdot morons by Neon+Spiral+Injector · 2002-09-15 14:28 · Score: 5, Funny
  
  Have they also disabled people leaving Bugzilla to go to Slashdot? Okay, I know that was bad.
Easy work-around for now by RPoet · 2002-09-15 12:31 · Score: 5, Informative

People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:

user_pref("capability.policy.default.Window.onun lo ad", "noAccess");

You won't miss those ununload events anyway :)

--
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
HTTP_REFERER by nick_davison · 2002-09-15 12:38 · Score: 5, Interesting

The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field.
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
Re:The problem with this bug by foobar104 · 2002-09-15 15:48 · Score: 5, Interesting

Perhaps my lack of knowledge of JavaScript, but what exactly constitutes a legitimate use of onUnLoad?

I'll give you one example. My company sells software with web front-end interfaces. One of the techniques we use is implementing a close-to-log-out feature. In other words, when you close the main app window, a handler fires that closes all daughter windows of the main app window and ends the user's session. That depends on onunload().

We also use onunload() to make sure the application doesn't get confused if a user closes a window on which the application depends. When the users closes a window-- an alert dialog, say-- the onunload() handler checks to make sure that everything is as it should be. If it isn't, an error condition is established. Without onunload(), our application would be much less reliable in those kinds of situations.