We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Firefox Security Bug Not a Bug at All

The New Tab feature exposes a user's travel to secure websites, but it draws the material from a source long present in the browser.

A "bug" in the latest version of Firefox that exposes secure information in the browser's New Tab window may not be a flaw at all, according to one security researcher.

The New Tab feature in Firefox 13 displays thumbnails of previously visited web pages whenever a new tab is opened in the browser. Those thumbnails include information from secure, or HTTPS, websites, too.

One Firefox user reported that he discovered information in the thumbnails from previous online banking and webmail sessions that included account numbers, balances, and subject lines, according a report in The Register. That means anyone opening up the browser in your computer could have easy access to some of your most sensitive information. It also creates a rich target for cyber criminals trying to snatch info from your computer remotely.

Mozilla has pledged to fix the problem.

The New Tab bug, though, may not be a bug at all, contends Sophos security researcher Paul Ducklin. He pointed out in a blog Friday that information from secure websites has been routinely stored in the history cache of Firefox for some time. That's because communication from a browser to a secure website is encrypted in transit but not at either end of the communication. So if someone intercepts the information in transit, it will look like garbage to them. If they grab it from the cache, though, it won't.

While acknowledging that the New Tab flaw is a security problem that should be fixed, the root of the problem is likely to remain, he argues. For example, anyone that has access to a computer running Firefox, or for that matter Chrome, can view everything in the cache opening it up by typing "about:cache" or "chrome://cache/."

"So the newfound data leakage due to the thumbnails is a bit of a red herring," Ducklin writes. "The information from which Firefox 13 builds its thumbnails has been there all along in previous Firefox versions."

Several workarounds address the New Tab problem, but they fail to address the root problem, he maintains. They will hide the New Tab thumbs, but they won't affect the information in the cache used to construct those thumbs.

A measure of security can be obtained by changing the privacy settings in Firefox so that the browser's history is cleared each time software is closed, Ducklin notes. He also recommends that every time you perform a task in Firefox that involves personal identifying information, you clear the recent history in the software through its tool menu.  

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

IDG UK Sites

Samsung Galaxy S6 launch as it happened: Galaxy S6 launch video and live blog - watch again as...

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...