back to article Sites can slurp browser history right out of Firefox 16

A hole in Firefox 16 makes it possible for a malicious site to access a user's browsing history, Mozilla security chief Michael Coates revealed in a blog yesterday. Coates promised a patch today for the vulnerability in the latest version of the browser. Mozilla 16 was released on Tuesday but pulled a day later because of the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Android fixed already...

    ...as version 16.0.1 landed earlier today when my phone did an app update.

  2. nigel 15
    Stop

    Is this the old vulnerability?

    I remember this was a 'problem' up until last year for all browsers.

    IIRC it relied on links in the history being a different colour than unvisited links.

    if so not a huge issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this the old vulnerability?

      The blog post reads "The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters"

      Which means this seems more serious due to the ability to access URL parameters too.

    2. Colin Miller

      Re: Is this the old vulnerability?

      Nigel, the vulnerability you are thinking of involved guessing what pages the user might have browsed,

      and then checking what colour a link to them would be rendered as. Most examples used the root page of common websites.

      This sounds like a nefarious page can read the either the full history list of the browser, or a least the backwards/forwards list of the current tab.

  3. Anonymous Coward
    Anonymous Coward

    Guinea Pigs

    Didn't upgrade to 16 because it reported that my Firefox 3 Theme wouldn't work, and I can't stand what they did to the UI in FF4 and later.

    It took me far too long to get things back as I wanted them when I upgraded from an old FF3, I don't want that pain again. (btw the FF3 theme is at http://ffaddons.game-point.net/ff3ff4/ and no I'm not connected to that - just credit where credit is due)

    Just goes to show, always let other people be the guinea pigs!

  4. Anonymous Coward
    Anonymous Coward

    Circle of Life as we know it, captain

    Strange to think that Firefox is as old now as IE5 was when Firefox launched, and still had a commanding market share.

    Lots to contemplate about parallels between them, and how web browsers and the market has changed since then (including social networking sites replacing many personal and small business websites).

    Makes you wonder where we'll be in another 7 years. I think the days of the independent web designer are drawing to a close. How quaint it seems in retrospect that people paid off their mortgages, bought fast cars and still have a fortune in the bank because they could hand-code HTML 3.2 and make incredibly complicated table layouts...

    1. Anonymous Coward
      WTF?

      Re: Circle of Life as we know it, captain

      What on earth has this post got to do with anything?

      1. FartingHippo
        Thumb Down

        Re: Circle of Life as we know it, captain

        Well, it made me think more than your post did...

    2. pewpie
      Paris Hilton

      Re: Circle of Life as we know it, captain

      Seems Mr/Mrs Coward is a superimposing his/her own failure as an independent on everyone else because they were dumb and lazy in thier work.

      Not safe to assume the same of everyone else.. have fun at the farm.

      1. pewpie
        Boffin

        Re: Circle of Life as we know it, captain

        Oh and PS - this has precisely nothing to do with a browser flaw.

    3. Peter Gathercole Silver badge

      Re: Circle of Life as we know it, captain

      I know that this is off topic, but the AC@13:13 made me think.

      What we need now IMHO is a lightweight fast browser, without all of the historical cruft.

      ... wait a minute...

      Wasn't that the primary reason Firefox was introduced back then as a response to Netscape Communicator?

      1. Anonymous Coward
        Anonymous Coward

        Re: Circle of Life as we know it, captain

        Well when Firefox launched, everyone was slagging off IE5 for being bug ridden and insecure whilst claiming Firefox was flawless and perfectly secure.

        Now people don't really bash IE anymore because it's too much of a cliche and MS are no longer leaving it rot. Whereas Firefox seems to get the most amount of public abuse because the perception of it is pretty much what the perception of IE5 was back then. Not as bad, but there's a reason Chrome market share keeps going up.

        Whether it's true or not, just look around a few non-techie forums where normal people spend their time gossiping about Katie Price and Downton Abbey and you'll see Chrome being recommended as a replacement of Firefox by all those Mr/Mrs Averages. Just like the same kinds of people used to offer peer advice/pressure to switch from IE to Firefox in 2005.

        I wouldn't be surprised if Chrome is being knocked by average users seven years from now in favour of some other browser...

  5. tempemeaty

    16 now?

    Every time I blink another week has passed and another version of FF is out. What's next? Windows 9 by December the holidays? Next time someone says my FF browser's out of date I'm reaching through the interwebs and slapping the chap. Best of luck with the patch, FF 17 will be out before it's released. (9_9);;

    1. Anonymous Coward
      Anonymous Coward

      Re: 16 now?

      Using 17b1 here

      1. Cameron Colley

        Re: 16 now?

        19.0a1 here...

    2. JDX Gold badge

      Re: 16 now?

      Chrome's on v22/23 now, what is your point?

    3. Annihilator
      Facepalm

      Re: 16 now?

      What's more insane is the suggestion to downgrade to the older version, 15.0.1??

    4. Crazy Operations Guy

      Re: 16 now?

      That's why I use SeaMonkey, uses the Mozilla engine and is able to use Firefox's extensions but without wanting to update every day. Has some nifty tools built-in too.

  6. St3n
    Joke

    16? Is that the version number, or the amount of people still using it?

    1. tirk
      Headmaster

      NUMBER of people!

      Didn't they teach you anything at troll school??

      1. Zaphod.Beeblebrox
        Trollface

        Re: NUMBER of people!

        Relax, it just means less people are using it no matter how you say it...

        1. charlie-charlie-tango-alpha

          Re: NUMBER of people!

          Errr. "fewer" people.

          Well, someone had to say it.

          1. Zaphod.Beeblebrox
            Meh

            Re: NUMBER of people!

            Not sure if charlie-charlie-tango-alpha missed the troll icon

            or is trolling me back...

            1. charlie-charlie-tango-alpha
              Happy

              Re: NUMBER of people!

              Missed it. But I can never resist the temptation to correct poor grammar.

  7. Gene Cash Silver badge
    Thumb Down

    Hm... 10.0.7ESR is working fine here...

    But then that is precisely I'm on the ESR track, to avoid this sort of flavour-of-the-day breakages. I need to actually get work done around here.

  8. Zombieman
    Stop

    Slow the frel down guys... ?

    It is said that one reason for these lightning fast browser iterations is to assist the web developers, implementing new features as soon as possible. As a not exactly ex web developer it's making my head spin and in some cases breaking code faster than I can fix it...

    This thinking might be naive but can we just slow it down a bit, put in some decent testing that is more than just passing a test suite, and just maybe there is more chance at catching these things before they hit a mainstream release?

    Maybe I should get a few shipments of Cadbury's Caramel over to the Mozilla and for that matter Google folks... (ooh I might be showing my age referencing that advert)

  9. Purlieu

    Firefox 9

    So I checked my version number, I'm on Firefox 9 (with updates switched off).

    Didn't realise they's gone up to 16 in that space of time, what was wrong with 10, 11, 12, 13, 14, 15 oh never mind I don't care anyway. Sticking with FF 9 thanks.

  10. Yag

    Sigh...

    I'm seriously considering going back to firefox 3.6.1...

  11. Anonymous Coward
    Anonymous Coward

    Remember kids, Firefox is the most secure browser there is!

This topic is closed for new posts.