Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.
Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.
This allows users to save a screenshot of the entire page, of the visible section of the page, or use a selection tool to save only a region they consider important. Next, they can dismiss the action, copy the screenshot, download it, or click a “Save” button that sends the screenshot to the cloud.
All saved screenshots go to https://screenshots.firefox.com, a default setting in the browser. Furthermore, all screenshots that have been previously shared to public forums are indexed by search engines such as Google and could be discovered and accessed by anyone.
Screenshots are sent to the public server only when the user clicks the “Save” button. Many users, however, might have been long doing so without realizing that they were actually sending them to the cloud.
Mozilla issued a fix for the issue yesterday, soon after details on it emerged on Twitter. Apparently, this is not the first time the organization attempts to address this, but the previous implementation was flawed.
Specifically, in its attempt to avoid shot pages being indexed by search engines, Mozilla replaced robots.txt with <meta name=robots value=noindex>, but the fix was “only put in place for expired pages instead of all pages as intended.”
“So this is being deployed and now we’re talking to DDG/Google etc to strip the domains,” John Gruen, UX-focused Product Manager at Mozilla, t
old the ethical hacker who discovered the flaw.
“Firefox Screenshots is one of the most loved features that launched out of Test Pilot. Through our Test Pilot program, we test new experiments before making them available to the public. Firefox Screenshots lets users capture web pages and download them, copy them to clipboard or share them via URL. Yesterday, an independent researcher discovered that screenshots shared by their owners in public online forums subsequently became indexable by search engines. This issue was resolved immediately by the Screenshots team. People who use Firefox Screenshots can feel confident that their Screenshot history is consistent with the Firefox Browser Privacy Notice.” a Mozilla spokesperson told SecurityWeek in an emailed comment.
Updated: A previous version of this article incorrectly stated that all screenshots end up being publicly accessible.
Update 2: Added statement from Mozilla
Related: Firefox 60 Brings Support for Enterprise Deployments
Related: Firefox Fails at Keeping Passwords Secure, Developer Claims
