Friday, June 22, 2012

Firefox 'New Tab' Feature Exposes Secure Information

A report at The Register indicates that the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".

The reader of The Register indicated when he opened a new tab, he was presented with his earlier online banking and webmail sessions, complete with account number information, balance, etc.
On the computer where I generally have 16-20 tabs open, the new tab did indeed include thumbnails of cached pages of sites I had logged on to. On a second computer that generally has only four tabs open, my email page was prominently displayed.

Although the display of the cached pages is highly undesirable, since my Firefox profile is associated with my computer logon, I can see that the thumbnail is displaying the past page visited and, in some cases, the page currently displayed on another tab! 


If you use a shared or public computer use the Private Browsing feature:   
At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP) and select "Start Private Browsing" (Keyboard shortcut = Ctrl+Shift+P).
Although it will not help for an existing session, use the setting to clear history when Firefox closes.    
At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP).  Select Options > Privacy > Clear history when Firefox closes.  When you relaunch Firefox and click the "New Tab" button, empty thumbnails with just the site name are presented.

According to Mozilla, the new tab appears when you click the “+” at the end of your tab strip. Strangely, although I have the latest version installed, some customizations or an installed add-on apparently result in no "+" at the end of the tab strip. For standard installations, apparently there is a small button, in the upper right corner that hides the site tiles, leaving only the small button visible.  Perhaps a Security Garden reader can confirm that and provide a link to a screen capture.

Mozilla Statement

Following is the statement provided by Mozilla when presented with the issue by The Register:

"We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not  transmit nor store personal information outside the user's direct control.

The new tab thumbnails are based on  users' browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.
Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Firefox download said...

Thank you, use Ctrl + Shift + P is great way for me to visit porn site! :D

Corrine said...

That won't keep your computer from getting infected.

John Cornish said...

Nice article... Thnx for sharing it.. M sure Firefox will resolve this issue soon in its successor..
Mozilla Support