Browser data leakage bug – Mozilla to delete info just in case

By Paul Ducklin, Sophos

January 2, 2018

Mozilla published an unexpected security patch this week, bumping Firefox up to version 57.0.3.

(You probably weren’t expecting a browser update between Christmas and New Year, but it’s good to know that security fixes don’t take second place in holiday season.)

Officially numbered Bug 1427111, the good news is that this wasn’t a vulnerability that gave crooks the ability to launch an attack, implant malware, or rootle around for personal data on your hard disk.

It was, however, an ironic bug: if Firefox hit a bug and crashed, it could then hit another bug and upload crash report data even if you’d told it not to.

Technically, this counts as data leakage, but because the data was sent directly from your browser to Mozilla’s servers, rather than to somewhere unknown or unpredicatable, we’ll accept that the risk was modest:

Fix a crash reporting issue that inadvertently sends background tab crash reports to Mozilla without user opt-in

Terms of Use | Copyright © 2002 - 2017 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement