Firefox 'new tab' feature exposes secured information

When Firefox 13 was released to the public earlier this month, it came with an updated 'New Tab' page that seems to take inspiration from Chrome and Opera by providing thumbnails of the sites you have previously viewed. There is also a 'Tabs on demand' which aims to speed up your browsing experience.

Obviously for all its testing and quality control, at least one unintentional feature slipped through, in that secured content is easily accessible to anyone that is using the browser through the 'new tabs' page. Firefox 13 takes a snapshot of recently visited sites and this includes sites that were accessed over HTTPS used for secure communication to websites such as online banking.

In a report over at The Register Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc."

"This content is behind a secure login for a reason," Chris added.

Mozilla responded to The Register acknowledging the problem and has promised a patch after releasing a statement that can be read below:

We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not transmit nor store personal information outside the user's direct control.

The new tab thumbnails are based on users' browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.

Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.

The latest version of Firefox includes two new notable updates to the Home and new Tab pages and was released on June 5th. If you haven't already updated, you might want to wait for a patch, or take the advice from Mozilla stated above.

Update: If you wish to disable the New Tab Page completely, visit about:config, type in browser.newtab.url, and then set the value to about:blank (or about:home, if you prefer).


Like so...

Source: The Register

For our community discussion on Firefox bugs, releases, beta and nightly builds go here.

Report a problem with article
Previous Story

Neowin Member Reviews: Cellular Line Anti-Slip Grip pad

Next Story

Weekend Poll: Surface, Windows Phone 8 or Windows 8?

37 Comments

Commenting is disabled on this article.

I did this the first time i opened a new tab and saw that the 9 most visited sites on the browser were porn...

I'm just kidding, but i did fear that my bank page was showing up.

vhaakmat said,
Oh Firefox, Firefox, how thow hast fallen.......

Bull crap there nothing's wrong with the latest Firefox release, Mozilla will patch it up in no time. stop being a drama queen.

Sub_Zero_Alchemist said,

Bull crap there nothing's wrong with the latest Firefox release, Mozilla will patch it up in no time. stop being a drama queen.


To un-troll OP,
Firefox's new tab page is lacking compared to Opera's implementation.
Or, not as simple yet functional as IE9/10 implementation.
It is just inferior to both in different ways.

Sub_Zero_Alchemist said,

Bull crap there nothing's wrong with the latest Firefox release, Mozilla will patch it up in no time. stop being a drama queen.


Why do they need to patch if there is nothing wrong...?

vhaakmat said,
Oh Firefox, Firefox, how thow hast fallen.......

How thow have fallen?

When was it ever up? Never have liked Firefox or what it was before it became Firefox. Anything that is getting updated as fast as this thing, or Chrome does, you KNOW has to have flaws in it. No way possible to check everything when you're cranking out new versions almost daily!

This was such a simple oversight, that I can't begin to imagine how many others are missed!

I don't see how it is possible because it only takes a shot at the launched page of a site. So if you go to do some online banking, you should, in worst case, get a shot of the login box. Of course unless you have automatic login, which would be a much bigger security risk than the New Tab page could ever be.

Edited by Yakuzing, Jun 24 2012, 3:47pm :

I like the new tab feature, but Firefox is currently unusable to me. Ever since the version 13 update, it hangs when trying to access websites.

dead.cell said,
I like the new tab feature, but Firefox is currently unusable to me. Ever since the version 13 update, it hangs when trying to access websites.

yeah I got used to chrome and then went back to FF for a while and noticed how bad it is, using 16.0 at the moment though its not bad

dead.cell said,
I like the new tab feature, but Firefox is currently unusable to me. Ever since the version 13 update, it hangs when trying to access websites.

No such problems here, try using the reset feature under troubleshooting and see if that helps any.

Sub_Zero_Alchemist said,

No such problems here, try using the reset feature under troubleshooting and see if that helps any.

Not sure what happened, but it finally seemed to resolve itself. /shrug

Thanks though!

dead.cell said,
I like the new tab feature, but Firefox is currently unusable to me. Ever since the version 13 update, it hangs when trying to access websites.
Might have something to do with the flash u have, they say update to make sure it isnt buggy

Alternate or best solution - set "browser.pagethumbnails.capturing_disabled" to true.
The feature will still work only without the thumbnails.

They should just disable the thumbnails and use favicons instead.

Note that changing browser.newtab.url under about:config doesn't fix the problem; The new tab page is still accessible by typing about:newtab into the location bar. The thumbnails are still accessible and stored by Firefox regardless.

akav0id said,
Or you could just set browser.newtabpage.enabled to false.

The new tab page 'tis a silly idea anyway

Agreed that it's a silly idea. Those who want Speed Dial can and will just install an addon.

Correct me if I'm wrong but toggling that setting on about:config will only hide the new tab page as if you clicked the 'Hide the new tab page" button.

akav0id said,
Or you could just set browser.newtabpage.enabled to false.

Agreed, disables it entirely (even by going there manually.) Personally prefer the Speed Dial extension myself anyway, a lot more flexible.

Firefox also takes a thumbnail of every page a of a site you visit. Instead of taking a screenshot of the main page like a sane browser. Also it takes a screenshot during your first visit to a site, even if you never visit again.

The main issue is that there's currently no way for a browser to know if a page is using TLS because it's supposed to be secure (e.g. bank account info) or if it's using it for another reason (SPDY, bypassing proxies, etc.)

Other browsers have the same functionality, and they're going to run into similar issues when SPDY becomes more prevalent (Currently Chrome shouldn't be able to generate a thumbnail of any Google page, since they all use SPDY)

Edit: And Firefox doesn't store thumbnails for pages marked as "no-cache", which could be anything from bank details to a weather page that wants to force the client to update the page, etc.

It's a fault of the underlying technology.

It's like self signed certificates vs. CA signed certificates, both offer the same level of encryption but they don't offer the same level of security, but there's no way for a client to work that out.

What we need is a way for a server to tell a client that the connection should be secure and encrypted, vs. just encrypted (So a bank would say "This is secure" and the client wouldn't cache it, while Twitter or Google Search could say it's not secure, they're just using TLS to get SPDY, and the client could cache it, make thumbnails, etc.)

It doesn't matter if you use it or not, anyone can still switch to the other new tabs page, I checked myself because I also don't use it, I added a way for people to manually disable it.

"We are aware of the concern and have a fix that will be released in a future version of Firefox."

If they have a patch, they should release it right away, not wait for a 'future version'!

Neobond said,
That's what they mean, it will be 13.02 or something since 13.01 is already out (aka a future version)

More like FireFox 14 at the rate Mozilla are going, pumping out FireFox versions

Neobond said,
It doesn't matter if you use it or not, anyone can still switch to the other new tabs page, I checked myself because I also don't use it, I added a way for people to manually disable it.

Still... The way to completely disable it, create new-> boolean->True "browser.pagethumbnails.capturing_disabled" and then what you did.