Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".
Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.
"This content is behind a secure login for a reason," Chris added.
In response to queries on the matter prompted by Chris's experience, Mozilla acknowledged that the behaviour was undesirable and promised a patch. In the meantime, the browser and email client firm points privacy-conscious users towards various workarounds, as a statement (below) explains.
When Firefox 13 was released to the public earlier this month, it came with an updated 'New Tab' page that seems to take inspiration from Chrome and Opera by providing thumbnails of the sites you have previously viewed. There is also a 'Tabs on demand' which aims to speed up your browsing experience.
Obviously for all its testing and quality control, at least one unintentional feature slipped through, in that secured content is easily accessible to anyone that is using the browser through the 'new tabs' page. Firefox 13 takes a snapshot of recently visited sites and this includes sites that were accessed over HTTPS used for secure communication to websites such as online banking.
Firefox 13 was released earlier this month, and among the top six features, the new tab page was one. Not only was this new feature well received by Firefox users, it was also one of the major interface changes the browser has implemented since going on a rapid release cycle. Unfortunately, it’s hit a bug all too soon. The speed dial feature that so many users were glad to have incorporated by default in the browser takes snapshots of websites, regardless of whether they are viewed over an HTTP or HTTPS protocol. This puts secure HTTPS content captured on several websites in plain view. Why is this dangerous? Sites that mandate an HTTPS protocol are usually ones where sensitive information, like banking details, credit card numbers etc, are exchanged, and that isn’t information you want out in the open. The issue was first discovered by The Register, and Mozilla have acknowledged this breach. An update has been promised, but in the mean time, here is how you can disable the new tab page, which is the only way of staying safe.
A "bug" in the latest version of Firefox that exposes secure information in the browser's New Tab window may not be a flaw at all, according to one security researcher.
The New Tab feature in Firefox 13 displays thumbnails of previously visited web pages whenever a new tab is opened in the browser. Those thumbnails include information from secure, or HTTPS, websites, too.
One Firefox user reported that he discovered information in the thumbnails from previous online banking and webmail sessions that included account numbers, balances, and subject lines, according a report in The Register. That means anyone opening up the browser in your computer could have easy access to some of your most sensitive information. It also creates a rich target for cyber criminals trying to snatch info from your computer remotely.