Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Firefox Promises Privacy Patch Against Tab Spying

Shared PC warning: Firefox 13 browser records and stores a user's most-visited pages, including sensitive content otherwise protected by HTTPS.

When Firefox version 13 debuted earlier this month, it included a new tab-restoration feature--but at what privacy cost?

"When opening a new tab, users are now presented with their most visited pages," according to Mozilla's Firefox 13 release notes.

But as one Firefox user discovered, that tab-restoration feature was also "taking snapshots of the user's HTTPS session content," reported The Register, after one of its readers opened a new tab and was "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines, etc."

While other browsers have long included the ability to see a list of "most visited" pages, they don't restore data contained on HTTPS pages. "This content is behind a secure login for a reason," noted the Register reader, and the ability of anyone who subsequently opened Firefox to see all of that information would constitute an obvious breach of the user's privacy, as well as data security. Furthermore, for users of Firefox 13 on shared computers, the information could potentially be stored and made available to subsequent users, without the original user being aware that the data had ever been captured.

[ Internet Explorer gets a high five from privacy experts, but Microsoft IE10 Privacy Settings Draw Advertiser Fire. ]

Mozilla acknowledged the issue and said it's working on a fix. "We are aware of the concern and have a fix that will be released in a future version of Firefox," said Mozilla spokeswoman Valerie Ponell via email. "Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not transmit nor store personal information outside the user's direct control."

In the meantime, how can users disable the tab-restoration feature? For starters, Ponell noted that the feature is based solely "on users' browsing history," and that the stored information can be deleted by users via the preferences screen. "Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser," she said. "That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened."

But she advised anyone who uses Firefox 13 on a shared computer to use "the built-in privacy tools in Firefox, such as Private Browsing Mode," which will also prevent a copy of the session tab from being recorded.

Firefox 13, released June 5, also patched seven bugs, four of which were critical. Many Firefox installations are set to automatically update and install the latest version.

While Mozilla may have committed a temporary, local Firefox privacy gaff, the company has been working to proactively address larger questions involving people's right to privacy when using the Internet. In a TED talk earlier this year, Mozilla CEO Gary Kovacs delivered a presentation titled "Tracking the Trackers," in which he introduced a an experimental browser add-on for Firefox called Collusion, which visually displays behavioral tracking sites that are following a user, including sites which the user has never visited.

Collusion was created by Mozilla Hackasaurus developer Atul Varma to present users with a graph of which sites were tracking them, and color-coding ones which the user hadn't explicitly granted permission. Varma told the TED blog that he was surprised not just by how many different trackers followed him, but how companies such as Google's DoubleClick and Scorecard Research consistently tracked him across different sites that he visited.

"One of the ones that was most surprising to me was VirginAmerica.com. One of the most unusual things about it--on the graph, it appears to make a single request to DoubleClick, which then makes requests to like 20 different data collection companies or something crazy," said Varma. "When you watch it in graph form, it looks like ... there's that kind of flower that, when you blow on it, there's all of these wispy things that fly out of it--a dandelion. It's pretty, but it's also kind of scary."

Kovacs likewise detailed just how pervasive he'd found online behavioral tracking to be, recounting how many sites were following him after just a few minutes' browsing one morning. "We are not even two bites into breakfast, and there are already nearly 25 sites that are tracking me. I have navigated to a total of four," he said. By the end of the day, meanwhile, he found over 150 sites tracking his personal information by the end of a typical day, "almost all of them without my consent," he said. "I'm being stalked across the Web."

While the Internet is an indispensable tool, "the price we're being asked to pay for all this connectedness is our privacy," he said. "We are being watched, it's now time for us to watch the watchers."

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PeterEicher
50%
50%
PeterEicher,
User Rank: Apprentice
6/22/2012 | 5:14:01 PM
re: Firefox Promises Privacy Patch Against Tab Spying
I really dislike this new browser feature, aside from the security issues. Thanks for the tip on turning it off. However, the description is a bit confusing.

"Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser," she said.

This icon is on the screen that shows you the most visited pages. It's a little icon that looks like a checkerboard. At first I was searching at the top of the browser itself, in the toolbar area. It's not there. It's directly under the toolbar when you open a new tab.

CalistaHerdhart
50%
50%
CalistaHerdhart,
User Rank: Apprentice
6/25/2012 | 5:22:31 AM
re: Firefox Promises Privacy Patch Against Tab Spying
Chrome has been doing this for ages
ANON1241624276539
50%
50%
ANON1241624276539,
User Rank: Apprentice
6/25/2012 | 1:33:27 PM
re: Firefox Promises Privacy Patch Against Tab Spying
Do Not Track from Abine.com is a free utility that does a wonderful job blocking trackers. Abine has other fee-based apps that are very interesting and priced decently. However, DNT (Do Not Track) is FREE.

Additionally, Rapport from Trusteer is an outstanding utility used particularly by banks. It too is FREE.

Sometimes FREE can actually BE worthwhile. These two apps certainly are.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28588
PUBLISHED: 2021-05-10
An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s l...
CVE-2021-21428
PUBLISHED: 2021-05-10
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation proces...
CVE-2021-29022
PUBLISHED: 2021-05-10
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
CVE-2020-27226
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘quickFile.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-27229
PUBLISHED: 2021-05-10
A number of exploitable SQL injection vulnerabilities exists in ‘patientslist.do’ page of OpenClinic GA 5.173.3 application. The findPersonID parameter in ‘‘patientslist.do’ page is vulnerable to authentic...