Mozilla bug leaks Web surfing data

Netscape and other Web browsers based on the Mozilla development project contain a bug that leaks people's Web surfing data, according to a new report.

		Reader Resources Mozilla 1.0 info Pop-up downloads

The bug reveals the URL of the page someone is viewing to the Web server of the site last visited. This allows a Web server to track where people go after they leave the site, even if the next Web address comes from a bookmark or is manually typed into the browser.

Researcher Sven Neuhaus, who published a security alert on Wednesday about the issue to the Bugtraq mailing list, said he had confirmed the bug in Mozilla 1.0, 1.0.1 and 1.1, though it probably also existed in older Mozilla versions. It also appears in browsers based on Mozilla's technology, including Netscape 7 and Galeon, a Linux application, he said.

Mozilla is an open-source project initiated by Netscape Communications, now part of AOL Time Warner, to foster volunteer interest in its browser technology. Mozilla's features and its Gecko rendering engine are now used in the Netscape 7 commercial software from AOL Time Warner.

The problem lies with a component called "onunload," Neuhaus said. He created a demonstration exploiting the bug, which he said is several weeks old, hoping to prompt Mozilla developers to deliver a fix.

In the meantime, Neuhaus said the vulnerability can be worked around by switching off JavaScript.

ZDNet U.K.'s Matthew Broersma reported from London.