Neither Private Browsing mode nor DNS-over-HTTPS will shield you from this decades-old DNS quirk
Firefox and Chrome have a serious privacy flaw that sends users’ search terms to their internet service providers (ISPs) without their consent, a security researcher has discovered.
Malicious attackers could also exploit the bug, which remains unpatched in both web browsers, to track users’ online behavior, Duy Khuong claimed in a GitHub post that was first published in April.
Even the implementation of privacy-protecting measures like DNS-over-HTTPS (DoH) or using the pro-privacy DuckDuckGo search engine fail to protect users, he added.
The researcher told The Daily Swig that browsing in Chrome’s Incognito Mode or Firefox’s Private Browsing mode did not prevent the privacy leak either.
Words-without-spaces
The vulnerability arises when users types a single word, or multiple words separated by hyphens, into the browser address bar and presses enter. (The search term ‘words-without-spaces’ would trigger the flaw; ‘words with spaces’ would not).
As well as generating search engine results, the search term is erroneously relayed to a domain name system (DNS) server belonging to the user’s ISP.
Users can verify the data leak by checking their DNS logs.
ISPs do generally track which web pages users visit (although this can be circumvented through the use of virtual private networks), but the major browsers don’t deliberately share users’ search habits.
Malicious actors could also potentially track users’ search history by setting up “a rogue Dynamic Host Configuration Protocol (DHCP) server” and setting “the user’s DNS suffixes to” their own server, the researcher warned in his GitHub post.
DNS legacy flaw
Selena Deckelmann, vice president of Firefox Desktop, told The Daily Swig that the flaw was the legacy of “a decades-old feature built into the [DNS]”, in which “single word website names are still used by private and enterprise networks”.
She added: “When a user types a single word into the address bar, Firefox needs to determine whether the user is intending to search, or to visit one of these local, single word websites.
YOU MIGHT ALSO LIKE Firefox bug bounty: Mozilla raises payouts and abandons ‘first reporter wins’ policy
“These sites will never be found in external DNS or through DNS-over-HTTPS resolvers, which is why we fall back to consulting local DNS.”
The researcher successfully exploited the flaw in April on Firefox 75, the latest version, and Chrome 81, since succeeded by Chrome 83, but suspects later versions will be “most likely affected, too”.
‘Short-term mitigation’
Khuong told The Daily Swig that fixing the problem might impact users’ ability to visit “local, single-word websites”.
However, he advised that “users should be informed of the risks” and be given the option of avoiding the problem.
Deckelmann indicated that this was Mozilla’s plan.
“As a short-term mitigation, we plan to add a preference for users to control this behaviour in Firefox 78,” she said. “Longer term, we hope to identify reliable heuristics to limit the use of these DNS lookups.”
Google has yet to respond to The Daily Swig’s query about their own plans to address the flaw.
INSIGHT A guide to DNS-over-HTTPS – how a new web protocol aims to protect your privacy online
Interestingly, the issue has been merged with a similar bug in the Chromium bug-tracker, dating back to 2015, that has also not been fixed.
The latest entry, from the Chromium team on April 14, said Covid-19 and the departure of an employee who had been working on the bug had delayed a remedy.
“I doubt that this bug will be fixed any time soon in Chrome,” said the researcher.
Offering advice to users who might be worried about the privacy leak, Khuong recommended eschewing DHCP and set IP addresses manually, while ensuring that DNS suffixes do not include “unusual” addresses.
He told The Daily Swig that the problem didn’t affect Tor or Microsoft Edge browsers.
The researcher alerted Mozilla and Google to the problem on April 13. Google replied a day later, on April 14.
Firefox failed to respond, despite a reminder sent by the researcher on May 13, but a bug report was opened on Bugzilla on June 2.
RELATED Google launches Enhanced Safe Browsing to combat fleet-footed phishing sites