Feeds

back to article Sites can slurp browser history right out of Firefox 16

A hole in Firefox 16 makes it possible for a malicious site to access a user's browsing history, Mozilla security chief Michael Coates revealed in a blog yesterday. Coates promised a patch today for the vulnerability in the latest version of the browser. Mozilla 16 was released on Tuesday but pulled a day later because of the …

COMMENTS

This topic is closed for new posts.
Bronze badge
Thumb Up

Android fixed already...

...as version 16.0.1 landed earlier today when my phone did an app update.

1
0
Stop

Is this the old vulnerability?

I remember this was a 'problem' up until last year for all browsers.

IIRC it relied on links in the history being a different colour than unvisited links.

if so not a huge issue.

0
2
Anonymous Coward

Re: Is this the old vulnerability?

The blog post reads "The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters"

Which means this seems more serious due to the ability to access URL parameters too.

3
0

Re: Is this the old vulnerability?

Nigel, the vulnerability you are thinking of involved guessing what pages the user might have browsed,

and then checking what colour a link to them would be rendered as. Most examples used the root page of common websites.

This sounds like a nefarious page can read the either the full history list of the browser, or a least the backwards/forwards list of the current tab.

0
0
Anonymous Coward

Guinea Pigs

Didn't upgrade to 16 because it reported that my Firefox 3 Theme wouldn't work, and I can't stand what they did to the UI in FF4 and later.

It took me far too long to get things back as I wanted them when I upgraded from an old FF3, I don't want that pain again. (btw the FF3 theme is at http://ffaddons.game-point.net/ff3ff4/ and no I'm not connected to that - just credit where credit is due)

Just goes to show, always let other people be the guinea pigs!

2
9
Anonymous Coward

Circle of Life as we know it, captain

Strange to think that Firefox is as old now as IE5 was when Firefox launched, and still had a commanding market share.

Lots to contemplate about parallels between them, and how web browsers and the market has changed since then (including social networking sites replacing many personal and small business websites).

Makes you wonder where we'll be in another 7 years. I think the days of the independent web designer are drawing to a close. How quaint it seems in retrospect that people paid off their mortgages, bought fast cars and still have a fortune in the bank because they could hand-code HTML 3.2 and make incredibly complicated table layouts...

4
3
Silver badge
WTF?

Re: Circle of Life as we know it, captain

What on earth has this post got to do with anything?

3
6
Silver badge
Thumb Down

Re: Circle of Life as we know it, captain

Well, it made me think more than your post did...

9
4
Paris Hilton

Re: Circle of Life as we know it, captain

Seems Mr/Mrs Coward is a superimposing his/her own failure as an independent on everyone else because they were dumb and lazy in thier work.

Not safe to assume the same of everyone else.. have fun at the farm.

2
3
Boffin

Re: Circle of Life as we know it, captain

Oh and PS - this has precisely nothing to do with a browser flaw.

2
1
Silver badge

Re: Circle of Life as we know it, captain

I know that this is off topic, but the AC@13:13 made me think.

What we need now IMHO is a lightweight fast browser, without all of the historical cruft.

... wait a minute...

Wasn't that the primary reason Firefox was introduced back then as a response to Netscape Communicator?

1
0
Anonymous Coward

Re: Circle of Life as we know it, captain

Well when Firefox launched, everyone was slagging off IE5 for being bug ridden and insecure whilst claiming Firefox was flawless and perfectly secure.

Now people don't really bash IE anymore because it's too much of a cliche and MS are no longer leaving it rot. Whereas Firefox seems to get the most amount of public abuse because the perception of it is pretty much what the perception of IE5 was back then. Not as bad, but there's a reason Chrome market share keeps going up.

Whether it's true or not, just look around a few non-techie forums where normal people spend their time gossiping about Katie Price and Downton Abbey and you'll see Chrome being recommended as a replacement of Firefox by all those Mr/Mrs Averages. Just like the same kinds of people used to offer peer advice/pressure to switch from IE to Firefox in 2005.

I wouldn't be surprised if Chrome is being knocked by average users seven years from now in favour of some other browser...

0
0
Bronze badge

16 now?

Every time I blink another week has passed and another version of FF is out. What's next? Windows 9 by December the holidays? Next time someone says my FF browser's out of date I'm reaching through the interwebs and slapping the chap. Best of luck with the patch, FF 17 will be out before it's released. (9_9);;

1
1
Anonymous Coward

Re: 16 now?

Using 17b1 here

0
0
JDX
Gold badge

Re: 16 now?

Chrome's on v22/23 now, what is your point?

2
0
Silver badge
Facepalm

Re: 16 now?

What's more insane is the suggestion to downgrade to the older version, 15.0.1??

0
1
Bronze badge

Re: 16 now?

That's why I use SeaMonkey, uses the Mozilla engine and is able to use Firefox's extensions but without wanting to update every day. Has some nifty tools built-in too.

1
0

Re: 16 now?

19.0a1 here...

0
0
Joke

16? Is that the version number, or the amount of people still using it?

6
6
Headmaster

NUMBER of people!

Didn't they teach you anything at troll school??

7
4
Trollface

Re: NUMBER of people!

Relax, it just means less people are using it no matter how you say it...

8
1

Re: NUMBER of people!

Errr. "fewer" people.

Well, someone had to say it.

9
0
Meh

Re: NUMBER of people!

Not sure if charlie-charlie-tango-alpha missed the troll icon

or is trolling me back...

1
0
Happy

Re: NUMBER of people!

Missed it. But I can never resist the temptation to correct poor grammar.

2
0
Silver badge
Thumb Down

Hm... 10.0.7ESR is working fine here...

But then that is precisely I'm on the ESR track, to avoid this sort of flavour-of-the-day breakages. I need to actually get work done around here.

2
0
Stop

Slow the frel down guys... ?

It is said that one reason for these lightning fast browser iterations is to assist the web developers, implementing new features as soon as possible. As a not exactly ex web developer it's making my head spin and in some cases breaking code faster than I can fix it...

This thinking might be naive but can we just slow it down a bit, put in some decent testing that is more than just passing a test suite, and just maybe there is more chance at catching these things before they hit a mainstream release?

Maybe I should get a few shipments of Cadbury's Caramel over to the Mozilla and for that matter Google folks... (ooh I might be showing my age referencing that advert)

1
0

Firefox 9

So I checked my version number, I'm on Firefox 9 (with updates switched off).

Didn't realise they's gone up to 16 in that space of time, what was wrong with 10, 11, 12, 13, 14, 15 oh never mind I don't care anyway. Sticking with FF 9 thanks.

0
0
Yag
Bronze badge

Sigh...

I'm seriously considering going back to firefox 3.6.1...

0
0
Anonymous Coward

Remember kids, Firefox is the most secure browser there is!

0
0
This topic is closed for new posts.