Firefox's may spill sensitive data via thumbnails, fix inside
A story broke today on Hacker News where a user noticed that the Firefox web browser was saving an image of a Google 2-factor authentication barcode as a thumbnail even though that should not have happened anymore. The worrying aspect of this is that even though the thumbnails that are generated are rather small in size, zooming in works well enough so that QR code readers can identify the code displayed.
The QR code thumbnail is just one example and since there does not seem to be restrictions in place currently to prevent the thumbnail generation of sensitive information, for instance on financial sites, it is recommended to temporarily fix the issue through other means. The human eye may not be able to identify smaller characters on thumbnails but computer programs can likely be used to make information readable again.
Firefox by default is taking screenshots of visited websites to display thumbnails on the browser's new tab page. This is done to visualize the websites listed on the page. Firefox displays a gray background for https sites by default, but that does not seem to stop the browser from taking a screenshot of -some- https sites as well. It seems that Firefox takes screenshots of https websites if they allow browsers to cache their contents and while that does not remove the gray background image on the new tab page, it means that a thumbnail of the actual site is stored by the browser.
There is no fix right now that prevents the generation of those thumbnails in the browser. While you can turn off the new tab page in the advanced configuration of the browser, it may not be enough to prevent the creation of thumbnail images, especially since it takes a single click on the new tab page interface to activate it again.
There are two options to deal with the issue. You can remove the thumbnails manually from the cache, but that option may require lots of manual work and forgetting to do so once may be enough to leak information.
The second option is to clear the cache of the browser, for instance when you close it so that all generated thumbnails are deleted in the process. You can press Ctrl-Shift-Del at any time to open the Clear all History menu where you can run a cleanup manually.
A better option is to configure Firefox to automatically clear the cache on exit. This is done in the options which you can access via Firefox > Options. Here you need to switch to the privacy tab of the browser and switch from Remember History to Use custom settings for history.
Check the "Clear history when Firefox closes" option and click on settings next to it. Make sure cache is selected here. If you use session restore, do not select browsing history as it won't work otherwise.
Keep in mind that thumbnails are still generated while you are using the browser. A side effect of this is that all thumbnail fields will display a gray background instead of the actual thumbnail.
Mozilla can say that they are just following website rules and that is certainly correct. The issue here is though that it makes no sense to create a thumbnail of https sites that allow caching, as they are not used anywhere in the browser.
Update: As Philipp pointed out in the comments below, it is actually possible to disable the creation of thumbnails in Firefox. To do so enter about:config in the browser's address bar and tap on the return key. If this is your first time confirm that you know what you are doing.
Right-click anywhere and select New > Boolean. Type browser.pagethumbnails.capturing_disabled as the value and set it to true.
Update 2: It turns out that Mozilla is saving the thumbnails in a separate directory and not using the cache anymore. To delete the contents of the thumbnails folder, you need to delete thumbnails within manually. Clearing the cache won't delete those thumbnails anymore. On Windows 7, the thumbnails cache folder is located under C:\Users\username\AppData\Local\Mozilla\Firefox\Profiles\random.default\thumbnailsAdvertisement