Mozilla-based browsers expose people's Web surfing data

September 17, 2002

Netscape and other Web browsers based on the Mozilla development project contain a flaw that exposes people's Web surfing data, according to a security alert posted on Bugtraq mailing list.

The flaw reveals the URL of the page a user is viewing to the Web server of the site last visited. This allows a Web server to track where people go next after they leave the site, regardless of whether the URL is entered manually or via a bookmark.

Reportedly the bug is present in Mozilla 0.9x, 1.0, 1.0.1, 1.1 and 1.2 alpha. It also appears in browsers based on Mozilla's technology, including Netscape 6.x and 7; Galeon 1.2.x and Chimera 0.5.

The problem lies with a component called "onunload," Sven Neuhaus a researcher who discovered the bug, said.

To fix the hole manually users should switch off JavaScript. In addition to disabling JavaScript, users can avoid the bug by creating a file "user.js" in the profile folder (the one with the pref.js file) and put the following line in the file: user_pref("capability.policy.default.Window.onunload", "noAccess"); This stops the "onunload" handler from being activated.

Mozilla.org, the open source browser project initiated by Netscape Communications (now part of AOL Time Warner) to encourage volunteer interest in its browser technology.