Researchers have found a flaw in Mozilla-based browsers that springs data on
the Web surfing movements of users.
Head researcher at Neopoly Sven Neuhaus said the bug, first discovered
in May, is a serious privacy issue.
In a demonstration of
the flaw, Neuhaus says it exposes the URL of the page a user is viewing to
the Web server of the site visited last, allowing a Web site to track where
a viewer goes next regardless of whether the URL is entered manually or via
a bookmark.
“This bug is still present in the Mozilla 1.1 release… It’s been three
months,” Neuhaus said in a plea for a fix on Bugzilla, the site used to
track vulnerabilities in Mozilla releases.
It affects Mozilla browser versions 0.9x, 1.0, 1.0.1, 1.1 and 1.2 alpha;
Netscape 6.x and 7; Galeon 1.2.x and Chimera 0.5.
Mozilla users are urged to disable JavaScript as a temporary workaround
until a fix is issued. The flaw exists in the “onunload” handler which
loads an image from the referring server about a user’s surfing movements.
In addition to disabling JavaScript, users can avoid the bug by creating a
file “user.js” in the profile folder (the one with the pref.js file) and put
the following line in the file:
user_pref(“capability.policy.default.Window.onunload”, “noAccess”);
This stops the “onunload” handler from being activated.
Mozilla.org, the open source browser project backed by AOL Time Warner
, just released
the 1.1 upgrade to provide increased support for Linux and Mac platforms but
the privacy flaw remains in the upgrade, Neuhaus said.