We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Firefox Security Bug Not a Bug at All

The New Tab feature exposes a user's travel to secure websites, but it draws the material from a source long present in the browser.

A "bug" in the latest version of Firefox that exposes secure information in the browser's New Tab window may not be a flaw at all, according to one security researcher.

The New Tab feature in Firefox 13 displays thumbnails of previously visited web pages whenever a new tab is opened in the browser. Those thumbnails include information from secure, or HTTPS, websites, too.

One Firefox user reported that he discovered information in the thumbnails from previous online banking and webmail sessions that included account numbers, balances, and subject lines, according a report in The Register. That means anyone opening up the browser in your computer could have easy access to some of your most sensitive information. It also creates a rich target for cyber criminals trying to snatch info from your computer remotely.

Mozilla has pledged to fix the problem.

The New Tab bug, though, may not be a bug at all, contends Sophos security researcher Paul Ducklin. He pointed out in a blog Friday that information from secure websites has been routinely stored in the history cache of Firefox for some time. That's because communication from a browser to a secure website is encrypted in transit but not at either end of the communication. So if someone intercepts the information in transit, it will look like garbage to them. If they grab it from the cache, though, it won't.

While acknowledging that the New Tab flaw is a security problem that should be fixed, the root of the problem is likely to remain, he argues. For example, anyone that has access to a computer running Firefox, or for that matter Chrome, can view everything in the cache opening it up by typing "about:cache" or "chrome://cache/."

"So the newfound data leakage due to the thumbnails is a bit of a red herring," Ducklin writes. "The information from which Firefox 13 builds its thumbnails has been there all along in previous Firefox versions."

Several workarounds address the New Tab problem, but they fail to address the root problem, he maintains. They will hide the New Tab thumbs, but they won't affect the information in the cache used to construct those thumbs.

A measure of security can be obtained by changing the privacy settings in Firefox so that the browser's history is cleared each time software is closed, Ducklin notes. He also recommends that every time you perform a task in Firefox that involves personal identifying information, you clear the recent history in the software through its tool menu.  

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

IDG UK Sites

Windows 10 launch event as it happened: Read our Windows 10 launch live blog - find out first as...

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here – HDR video, VR and 3D audio is coming

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK