Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

Risks

Vulnerabilities

Mozilla Privacy Leak

12 September 2002

From: Sven Neuhaus <sn@neopoly.com>

There is a serious privacy leak in Mozilla that reveals the URL of the page you are visiting to the web server of the page you visited last. The leak not only occurs for links followed on the page (that wouldn't be particularly serious) but also for URLs entered manually or picked from the bookmarks.

The bug affects Mozilla 1.0, 1.0.1, 1.1 and probably older versions as well. It also affects Mozilla-based browers such as Netscape 7 and Galeon.

The problem is that HTTP requests that are launched from a page's "onunload" handler have the wrong referer (sic): They get the referer of the next page the user is about to visit.

Demonstration URL:
http://members.ping.de/~sven/mozbug/refcook.html

This is bug 145579 from the bugzilla database. It's a couple of months old now so I'm disclosing this vulnerability to hopefully initiate the fixing process.

Workaround: Disable Javascript.

Best,
-Sven Neuhaus