A bug found within Firefox’s new tab system is a “red herring” and only makes secured browsing data more accessible.
The bug was found in a feature within the latest version of Firefox that captured thumbnail snapshots of websites visited by users.
A reader of The Register found that the snapshots also trapped secured HTTPS browser data meaning anyone with access to a computer could view potentially sensitive information.
Mozilla was quick to announce plans to fix the bug to prevent tabs slurping HTTPS data.
But the bug was “a bit of a red herring” according to Sophos scribe and Asia Pacific technology head Paul Ducklin, because the information used to build the feature had existed in previous versions of the browser.
Ducklin pointed out that HTTPS data was always available in the browsers’ cache and switching off the new feature – touted as a workaround -- did not resolve the problem.
“In my HTTPS experiments, turning off the thumbnails didn't do anything about Firefox's cache,” Ducklin said.
“Whatever is inside an HTTPS request, and in its corresponding reply, must exist in unencrypted form at each end of the conversation in order to be of any use.
"That means both your browser and the server you're talking to may - indeed, probably will - end up with a permanent record of the transaction's content, even though it was encrypted during transmission.”
However he points out that the snapshot feature provided richer data and made it easier to access the cached information.
Users could avoid potential exposure by erasing stored browser data after each browser session.
“… if this whole issue really is a bug, it may very well be a bug in our willingness to hold on to browser data between sessions," he said.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.