Attack code for Firefox 16 privacy vulnerability now available online (ars technica) [LWN.net]

Firefox 16, which was released on October 9, has subsequently been withdrawn due to a privacy leak. Ars technica looks at code that can exploit the flaw, which is not present in Firefox 15. "In short order, he was able to take advantage of his discovery to fashion proof-of-concept code that forced Firefox 16 to identify a visitor's Twitter handle whenever the user was logged in to the site. The eight-line code sample takes about 10 seconds to reveal the username, and it wouldn't be hard for developers to expand on that code to create attacks that extract personal information contained in URLs from other websites."

(Log in to post comments)

Attack code for Firefox 16 privacy vulnerability now available online (ars technica)

Posted Oct 11, 2012 22:42 UTC (Thu) by kripkenstein (subscriber, #43281) [Link]

Yeah, 16.0.1 fixes this, patch was pretty quick.

Attack code for Firefox 16 privacy vulnerability now available online (ars technica)

Posted Oct 12, 2012 6:17 UTC (Fri) by Cato (subscriber, #7643) [Link]

This is why I use Firefox 10 ESR on most machines - also avoids the whole issue of extensions breaking frequently, which just happened on one PC where I do use latest-Firefox approach.

Incidentally, I find that Chrome uses far too much memory to be viable on most PCs with 3GB available RAM (32-bit Windows, Linux, Mac) - even with only 10 to 20 tabs open - because of the way its processes are related to a few tabs and get paged out. May be a Windows specific issue, due to the Windows predilection for paging out inactive processes, as I haven't had this on Mac/Linux so much.

Attack code for Firefox 16 privacy vulnerability now available online (ars technica)

Posted Oct 12, 2012 11:42 UTC (Fri) by Lennie (subscriber, #49641) [Link]

I believe the next ESR will be 17. This release was 16. So it will be time soon enough. ;-)

I believe the ESR based on Firefox 17 will be released at the same time as Firefox 18, but I could be mistaken.

Do you really still have addons that break ? That should hardly ever happen anymore.

I think they fixed it in 7 or 8. I run nightlies, betas, stable and I've not had that since that time (have to admit I removed some I didn't use anymore anyway and that seemed unmaintained).

Yes, Chrome has a different process model for security.

Firefox does not, they tried to figure out how to do it, but I think they had a really hard time to make it backwardcompatiblity with addons.

Also I think they didn't do it because Firefox needed to fix their memory usage first. That seems to be mostly done now.

The Firefox developers also introduced a new addon-model a few years ago which just uses webtechnologies instead of dependence on the C++-API (which is the part that might break on upgrades).

It is kind of ironic that I've not seen a lot of security bugs in Firefox which would be blocked by the Chrome process model.

I've seen tests which mention Firefox Mobile is the fastest browser on Android. In those tests Chrome on Android (not the Android browser) is the slowest, I was thinking could that also be because of the process model ?

Attack code for Firefox 16 privacy vulnerability now available online (ars technica)

Posted Oct 13, 2012 19:11 UTC (Sat) by thegraygeek (guest, #87195) [Link]

You sure are right about Chrome/Chromium. Memory hogs all. Mostly I tell folks to use Firefox or Midori, depending..Mostly all I deal with ARE Win doze users. Me.? I'm a Linux guy..