(A Javascript-enabled browser is required to email me.)



Netscape 2.0b2 allows serious privacy breach; fixed in 2.0b3
From TBTF for 1995-12-02



Netscape 2.0b2 allows for invasion of privacy
Copyright © 1995 by Scott Weston <scott@tripleg.com.au>
December 2, 1995

Editor's note: Netscape has fixed this bug in 2.0b3.

Hi 'Net Dwellers,

First off -- I've posted this before (however not to this group) and only got a response from the Netscape Corp. They were glad I found the problem and said that they would fix it, however I feel that people should know about it. Also I would like people to help me spread this document around, i.e. if you know of a newsgroup (or people) that would find this interesting then please re-post it.

On with the problem...

I've recently got hold of the latest netscape, and was (at first) very excited about the new "LiveScripts" that it supports. If people don't yet know -- these "LiveScripts" allow you to put small programs into your web page that is then executed by the Netscape client. There is no direct way for these programs to send information back to the owner of the web page, however I was able to do it in a not-so-direct way.

The "LiveScript" that I wrote extracts all the history of the current netscape window. By history I mean all the pages that you have visited to get to my page, it then generates a string of these and forces the Netscape client to load a URL that is a CGI script with the QUERY_STRING set to the users History. The CGI script then adds this information to a log file. Now if this hasn't quite clicked yet lets do a little example.

Johnny Mnemonic starts up his newly acquired version of Netscape2.0b2 to start his daily "surf" session. First he decides to check his CD-NOW purchase and uses the handy Auto-Login URL. Then he decides to go to Lycos and do a search. In his search he find my page, which he decides to visit. Suddenly he is transported, not to my main page but to one of my CGI scripts, which in turn happens to have ALL the URL's he just been to in it. This means that in my log will be:

I do this in a way that the user will know that it has happened and will hopefully email Netscape and tell them they are not impressed. But it would be easy for me to change the CGI script so that the user is unaware that it has actually happened, unless they closely examine their URL history (in fact they'll probably just think its a netscape bug).

If you're skeptical about this then do the test yourself. Get netscape 2.0b2 and do some normal surfing, and then go to Lycos. Do a search for:

   scotts car boot sale

which should return the URL -- http://www.tripleg.com.au/staff/scott

Click on the URL and sit back and watch. First my main page will show up but a little while later you should be transported to a CGI bin script that will show you your URL history.

Editor's note: Netscape has fixed this bug in 2.0b3; if you visit this page using beta 3 your history will be blank.

I have tested this with both the Linux 2.0b2, and Solaris 2.0b2 versions and both have done the same thing. I would be interested in knowing if it happens for ALL versions of Netscape2.0b2. The log file does log the User Agent (i.e. the name of the platform you are using) so by simply going to the page I will know that your version of Netscape is also open to this form of attack.

Currently I can find no way to configure Netscape2.0b2 to not run LiveScripts -- and at the very least this option should be quickly added to the next version of netscape to be released. But a far better solution (IMHO) would be for netscape to pop up a window before running the LiveScript and let you know what the LiveScript wants access to, e.g. if it only wants to print out the current time then that's OK, but if it wants to read my history list and then transport me to a CGI script and add me to a logfile then maybe I would say no.

I think I've said enough....

If you've got any further questions, or want some more information just email me: scott@tripleg.com.au.

[ TBTF for 1995-12-02 ]