Several websites including The Register and ZDNet have reported that Firefox 13’s new tab page is taking thumbnail snapshots of visited pages — including those during secure HTTPS sessions:
The problem is not unique to Firefox; Chrome and Safari also generate thumbnails of HTTPS page content but their images are smaller and less readable. Firefox’s larger snapshots can reveal webmail and online banking sessions containing visible account numbers, balances and subject lines — even after you’ve logged out.
Fortunately, the thumbnails are generated by the browser and stored locally. No URLs or data is sent to servers and the images can be removed by clearing the history or clicking the “Hide the new tab page” icon at the top-right of the screen.
While the issue is unlikely to affect those with sole use of a single device, those using shared PCs should be wary. Firefox usually refreshes the new tab page after a browser restart so it’s best to use Private Browsing Mode during your session or the Clear Recent History option immediately after.
Mozilla has acknowledged the behavior and promised to release a patch shortly. But it’s a lesson for us all: if we’re not careful, seemingly innocent and useful software functionality can cause undesirable security side-effects.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
