Is Your Browser Exposing Private Data?

Several websites including The Register and ZDNet have reported that Firefox 13’s new tab page is taking thumbnail snapshots of visited pages — including those during secure HTTPS sessions:

Firefox 13 new tab page

The problem is not unique to Firefox; Chrome and Safari also generate thumbnails of HTTPS page content but their images are smaller and less readable. Firefox’s larger snapshots can reveal webmail and online banking sessions containing visible account numbers, balances and subject lines — even after you’ve logged out.

Fortunately, the thumbnails are generated by the browser and stored locally. No URLs or data is sent to servers and the images can be removed by clearing the history or clicking the “Hide the new tab page” icon at the top-right of the screen.

While the issue is unlikely to affect those with sole use of a single device, those using shared PCs should be wary. Firefox usually refreshes the new tab page after a browser restart so it’s best to use Private Browsing Mode during your session or the Clear Recent History option immediately after.

Mozilla has acknowledged the behavior and promised to release a patch shortly. But it’s a lesson for us all: if we’re not careful, seemingly innocent and useful software functionality can cause undesirable security side-effects.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Kise S.

    SSL is becoming a norm, its unreasonable to disable all HTTPS from showing in list, what i would suggest is that, a way to mark domains so that they wont show up in list.

    • http://www.optimalworks.net/ Craig Buckler

      Blocking HTTPS thumbnails would be a good start. It is used by many applications, but HTTP remains the primary protocol for content websites.

      A domain-specific blocker is a nice idea, although it seems like a slightly over-engineered solution for a minor browser widget.

      • Cortb

        I agree that blocking sites using HTTPS would be something for Firefox and other browsers to do. If you need to use SSL, then by the very nature of the content, it should be private. Or they could set the snapshot to work on page load, then the user would not have typed their information yet.

  • http://richstyle.org/ Anas R.

    Another suggestion: taking a shot should be prevented from “logged-in” sessions.

    • http://www.optimalworks.net/ Craig Buckler

      Nice idea, but how do you know? There are many ways to retain application state and it would be difficult for the browser to make an assumption about whether your logged on or not.

  • http://brianswebdesign.com Brian Temecula

    Clicking on “Hide the new tab page” in FF doesn’t do any good because you can just click on “Show the new tab page” and all the thumbnails come back. I had mine hidden, and after restarting FF and clicking the “Show” button, all the thumbnails were still there.

    I really don’t care for the functionality, so I’d appreciate a tip to turn it off altogether.

    • http://www.optimalworks.net/ Craig Buckler

      That’s strange – my installation wiped the thumbnails when toggling the hide/show button?

      I guess a switch off function is coming and I wouldn’t be surprised if there’s an add-on.

  • Pete Nelson

    Fortunately, you can disable this feature in Firefox using about:config. Change the value of “browser.newtabpage.enabled” to “false”.

  • Ken Robinson

    Here’s how to turn off the thumbnails. Just a little searching with Google finds this:

    * Enter about:config in the browser’s address bar to load the advanced preferences listing
    * Filter for browser.newtabpage.enabled and double-click the entry to change its value to false. This disables the new tab page and displays a blank page instead.
    * Alternatively, filter for browser.newtab.url, double-click it and replace the about:newtab value with another page in the browser. Please note that Firefox will still generate the information in the background, as the feature is still active.

    Ken

  • Richard P

    Marvelous. I just updated some public library machines with Firefox 13. We have a third-party application that is supposed to manage user sessions and clear data, but I have no doubt it’s not up to date. I’ve got a bunch of uninstalls to do.

  • http://www.dynamicsitesolutions.com/ Kravvitz

    There are at least two extensions that allow you to change the new tab page to something else. I’ve used Firefox’s Tab Mix Plus extension for a long time. In it’s options under Events ==> New Tabs you can change the “load on new tabs” option to something other than “New Tab Page” to mostly disable that. The NewTabURL extension offers the same thing.

    In the Firefox’s “about:config” page you can change the values for the “browser.newtab.url” and “browser.newtabpage.enabled” preferences to disable the feature.

    http://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off

  • E.A.

    why don’t you just set FF to clear history when you exit seems to work for me

  • Charles

    Below are instructions on how to disable this useless feature:

    “If you wish to disable the New Tab Page completely, visit about:config, type in browser.newtab.url, and then set the value to about:blank (or about:home, if you prefer).”

    or just type in the address of your home page.

    http://www.extremetech.com/computing/130485-firefox-13-released-new-tab-page-and-homepage-launcher-and-spdy-on-by-default

    Charles

  • Charles

    The instructions are for Firefox.

  • http://www.roddoiron.com Rod

    To eliminate this problem:
    Type: about:config in the address bar.
    Click on “I’ll be careful, I promise.”
    In the search box, type: browser.newtab.url to find it on the list below the search box.
    That item will be the only remaining line in the box under “Preference Name”. Double click on it.
    In the dialog box, replace the line with: about:blank
    Click OK.
    Done.

  • http://web101marketing.com Tom Parker

    I use a plugin called FVD Speed Dial, which is similar in function, but way more powerful and customizable than ff’s new tab page. The thumbnails are too small to read the text. Without researching this a bit, it appears to ‘overwrite’ or ‘replace’ the ff tab views. I don’t even have a button for tab view, I just have one for FVD, for changing settings, etc.

  • http://www.avial.com.au Joel

    I like Cortb’s solution of taking the snapshot before sensitive information has been supplied. After the first key press even mouse click event, if the snapshot has not been taken, it never will be and a place-holder image is used instead.

    I believe having a blacklist of domains to not screenshot is not a good solution. It is dependent on the user to understand that they need to do so. Security should be default behaviour – it should not depend on the user. (of course a white-list would render the feature useless)

  • Sandy

    Firefox also has the handy “restore last session” functionality, which even resurrects session cookies. Gone are the days of closing the browser to log out of your banking site, because now browser sessions can last between…sessions.

    • pov

      Instead of closing the browser you can click on Tools and then Clear Recent History (or just use Ctrl-Shift-Delete)