Home : Networking : News

Mozilla set to patch eight-year-old CSS history leak

A proposed Firefox patch promises to close a long-standing CSS security hole that leaves a browser's surfing history vulnerable to attackers.

By Martin James, 6 Apr 2010 at 11:26

gallery

The Mozilla Foundation has announced it is close to plugging a privacy hole that has plagued all major web browsers for nearly a decade.

The vulnerability in question is a Cascading Style Sheet (CSS) issue that leaves an internet user's web history potentially visible to attackers because of how CSS displays visited and unvisited links in different colours.

In a post on the Mozilla blog, Mozilla Security's Sid Stamm said the Foundation was close to plugging the so-called “CSS History Leak”, saying the matter would be addressed in a forthcoming Firefox fix, though he didn't specify exactly when.

“We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time,” Stamm wrote. “We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though.”

Currently, all an attacker needs to do to get an accurate picture of any web user's browsing history is bombard the browser with huge lists of possible URLs and filter out those with differently coloured links, indicating the site in question has been visited.

Regularly clearing your web history is one way to tackle the issue, but with all major browsers vulnerable to a problem that has been around for some eight years, it has become a well-known – and well-exploited – security hole.

However, the proposed patch – developed by Mozilla employee David Baron – claims to fix the problem by effectively making elements within the browser and various CSS functions believe that all links are unvisited.

In a post on his own blog, Baron said the patches were complete and only had to be put through various testing structures before being ready to send out to Firefox users.

“I have patches implementing this solution that I believe are largely complete, and which I will soon be requesting reviews on to begin the process of incorporating them into a future version of Gecko, the layout engine used by Firefox.”

In reporting the news, however, Stamm did warn that there would potentially be some effect on day-to-day browsing – at least until websites adapted to the new measures.

“For the most part, users shouldn’t notice a change in how the web works. A few websites may look a little different, but visited links will still show up differently coloured. A few sites that use more than colour to differentiate visited links may look slightly broken at first while they adjust to these changes, but we think it’s the right trade-off to be sure we protect our users’ privacy," he added.

“This is a troubling and well-understood attack; as much as we hate to break any portion of the web, we need to shut the attack down to the extent we can.”