Worried about someone who shares your computer shadowing you on the Web? You've got reason to fret -- a newly discovered Netscape security hole could reveal your browsing habits or show any site you visit.
"With a little bit of JavaScript and a little bit of Perl script running on this Web server, [a snoop site] can get a complete list of all Web sites you've visited in the last month or two," said Richard Smith, who has tested the vulnerability. "The implications are a pretty bad invasion of privacy."
The exploit was discovered by Dan Brumleve, who has posted a demonstration script on his own Web site to prove his discovery and call Netscape's attention to it.
Smith, who is president of Massachusetts-based Phar Lap Software, recently discovered a powerful vulnerability in Qualcomm's Eudora software. He has been testing Brumleve's findings and has contributed to Brumleve's work on the Netscape exploit.
Netscape confirmed the existence of the bug and said it would be issuing instructions for avoiding exploits. The company plans to sew up the hole when it releases the final version of Netscape Communicator 4.5, due out "shortly," according to Netscape product manager Eric Byunn.
The script grabs information that is produced when a special address is entered in Netscape Navigator's location bar. Users can see exactly what this information is by typing "about:cache" or "about:global" into their own location bar. In addition to recently visited sites, the information can include URLs showing keywords a user may have entered in an Internet search engine. A standard Web form delivers the data back to the snoop site.
"The hack is pretty cool," Smith said. Though neither Smith nor Brumleve has attempted it yet, the exploit could also be conducted through email, by sending a message carrying the script.
"Basically, a programmer has found a way to jump through some hoops and with some pretty obscure JavaScript, read some URLs from the [browser] cache," Byunn said. The Netscape cache is where recently accessed URLs, text, and images are stored.
Brumleve says the exploit affects all versions of Netscape that support JavaScript, but not Microsoft's Internet Explorer software. The exploit affects JavaScript-enabled versions of Netscape through versions 4.06.
Byunn said Netscape is investigating all aspects of JavaScript to prevent similar situations in the future.
Barry Steinhardt, president of the Electronic Frontier Foundation, said the bug points to the need for better testing by software developers and for better concealment of data using encryption.
"Web users should be demanding that applications incorporate encryption," said Steinhardt, who explained that if the stolen data were encrypted, it would be completely useless to intruders.
"Whether it's e-commerce applications or electronic mail or file-storage programs," Steinhardt said, "Internet users need to make clear to the high-tech corporate world that they will not have full confidence in the security of their communications until strong encryption and other security measures are built into applications in seamless and easy-to-use ways."
