A “bug” in the latest version of Firefox that exposes secure information in the browser’s New Tab window may not be a flaw at all, according to one security researcher.
The New Tab feature in Firefox 13 displays thumbnails of previously visited web pages whenever a new tab is opened in the browser. Those thumbnails include information from secure, or HTTPS, websites, too.
One Firefox user reported that he discovered information in the thumbnails from previous online banking and webmail sessions that included account numbers, balances, and subject lines, according a report in The Register. That means anyone opening up the browser in your computer could have easy access to some of your most sensitive information. It also creates a rich target for cyber criminals trying to snatch info from your computer remotely.
Mozilla has pledged to fix the problem.
The New Tab bug, though, may not be a bug at all, contends Sophos security researcher Paul Ducklin. He pointed out in a blog Friday that information from secure websites has been routinely stored in the history cache of Firefox for some time. That’s because communication from a browser to a secure website is encrypted in transit but not at either end of the communication. So if someone intercepts the information in transit, it will look like garbage to them. If they grab it from the cache, though, it won’t.
While acknowledging that the New Tab flaw is a security problem that should be fixed, the root of the problem is likely to remain, he argues. For example, anyone that has access to a computer running Firefox, or for that matter Chrome, can view everything in the cache opening it up by typing “about:cache” or “chrome://cache/.”
“So the newfound data leakage due to the thumbnails is a bit of a red herring,” Ducklin writes. “The information from which Firefox 13 builds its thumbnails has been there all along in previous Firefox versions.”
Several workarounds address the New Tab problem, but they fail to address the root problem, he maintains. They will hide the New Tab thumbs, but they won’t affect the information in the cache used to construct those thumbs.
A measure of security can be obtained by changing the privacy settings in Firefox so that the browser’s history is cleared each time software is closed, Ducklin notes. He also recommends that every time you perform a task in Firefox that involves personal identifying information, you clear the recent history in the software through its tool menu.