Is Your Browser Exposing Private Data?

By Craig Buckler
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

Several websites including The Register and ZDNet have reported that Firefox 13’s new tab page is taking thumbnail snapshots of visited pages — including those during secure HTTPS sessions:

Firefox 13 new tab page

The problem is not unique to Firefox; Chrome and Safari also generate thumbnails of HTTPS page content but their images are smaller and less readable. Firefox’s larger snapshots can reveal webmail and online banking sessions containing visible account numbers, balances and subject lines — even after you’ve logged out.

Fortunately, the thumbnails are generated by the browser and stored locally. No URLs or data is sent to servers and the images can be removed by clearing the history or clicking the “Hide the new tab page” icon at the top-right of the screen.

While the issue is unlikely to affect those with sole use of a single device, those using shared PCs should be wary. Firefox usually refreshes the new tab page after a browser restart so it’s best to use Private Browsing Mode during your session or the Clear Recent History option immediately after.

Mozilla has acknowledged the behavior and promised to release a patch shortly. But it’s a lesson for us all: if we’re not careful, seemingly innocent and useful software functionality can cause undesirable security side-effects.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • Kise S.

    SSL is becoming a norm, its unreasonable to disable all HTTPS from showing in list, what i would suggest is that, a way to mark domains so that they wont show up in list.

    • Blocking HTTPS thumbnails would be a good start. It is used by many applications, but HTTP remains the primary protocol for content websites.

      A domain-specific blocker is a nice idea, although it seems like a slightly over-engineered solution for a minor browser widget.

      • Cortb

        I agree that blocking sites using HTTPS would be something for Firefox and other browsers to do. If you need to use SSL, then by the very nature of the content, it should be private. Or they could set the snapshot to work on page load, then the user would not have typed their information yet.

  • Another suggestion: taking a shot should be prevented from “logged-in” sessions.

    • Nice idea, but how do you know? There are many ways to retain application state and it would be difficult for the browser to make an assumption about whether your logged on or not.

  • Clicking on “Hide the new tab page” in FF doesn’t do any good because you can just click on “Show the new tab page” and all the thumbnails come back. I had mine hidden, and after restarting FF and clicking the “Show” button, all the thumbnails were still there.

    I really don’t care for the functionality, so I’d appreciate a tip to turn it off altogether.

    • That’s strange – my installation wiped the thumbnails when toggling the hide/show button?

      I guess a switch off function is coming and I wouldn’t be surprised if there’s an add-on.

  • Pete Nelson

    Fortunately, you can disable this feature in Firefox using about:config. Change the value of “browser.newtabpage.enabled” to “false”.

  • Ken Robinson

    Here’s how to turn off the thumbnails. Just a little searching with Google finds this:

    * Enter about:config in the browser’s address bar to load the advanced preferences listing
    * Filter for browser.newtabpage.enabled and double-click the entry to change its value to false. This disables the new tab page and displays a blank page instead.
    * Alternatively, filter for browser.newtab.url, double-click it and replace the about:newtab value with another page in the browser. Please note that Firefox will still generate the information in the background, as the feature is still active.


  • Richard P

    Marvelous. I just updated some public library machines with Firefox 13. We have a third-party application that is supposed to manage user sessions and clear data, but I have no doubt it’s not up to date. I’ve got a bunch of uninstalls to do.

  • There are at least two extensions that allow you to change the new tab page to something else. I’ve used Firefox’s Tab Mix Plus extension for a long time. In it’s options under Events ==> New Tabs you can change the “load on new tabs” option to something other than “New Tab Page” to mostly disable that. The NewTabURL extension offers the same thing.

    In the Firefox’s “about:config” page you can change the values for the “browser.newtab.url” and “browser.newtabpage.enabled” preferences to disable the feature.

  • E.A.

    why don’t you just set FF to clear history when you exit seems to work for me

  • Charles

    Below are instructions on how to disable this useless feature:

    “If you wish to disable the New Tab Page completely, visit about:config, type in browser.newtab.url, and then set the value to about:blank (or about:home, if you prefer).”

    or just type in the address of your home page.


  • Charles

    The instructions are for Firefox.

  • Rod

    To eliminate this problem:
    Type: about:config in the address bar.
    Click on “I’ll be careful, I promise.”
    In the search box, type: browser.newtab.url to find it on the list below the search box.
    That item will be the only remaining line in the box under “Preference Name”. Double click on it.
    In the dialog box, replace the line with: about:blank
    Click OK.

  • I use a plugin called FVD Speed Dial, which is similar in function, but way more powerful and customizable than ff’s new tab page. The thumbnails are too small to read the text. Without researching this a bit, it appears to ‘overwrite’ or ‘replace’ the ff tab views. I don’t even have a button for tab view, I just have one for FVD, for changing settings, etc.

  • I like Cortb’s solution of taking the snapshot before sensitive information has been supplied. After the first key press even mouse click event, if the snapshot has not been taken, it never will be and a place-holder image is used instead.

    I believe having a blacklist of domains to not screenshot is not a good solution. It is dependent on the user to understand that they need to do so. Security should be default behaviour – it should not depend on the user. (of course a white-list would render the feature useless)

  • Sandy

    Firefox also has the handy “restore last session” functionality, which even resurrects session cookies. Gone are the days of closing the browser to log out of your banking site, because now browser sessions can last between…sessions.

    • pov

      Instead of closing the browser you can click on Tools and then Clear Recent History (or just use Ctrl-Shift-Delete)