Firefox's may spill sensitive data via thumbnails, fix inside

Martin Brinkmann
Feb 7, 2013
Updated • Feb 8, 2013
Firefox
|
15

A story broke today on Hacker News where a user noticed that the Firefox web browser was saving an image of a Google 2-factor authentication barcode as a thumbnail even though that should not have happened anymore. The worrying aspect of this is that even though the thumbnails that are generated are rather small in size, zooming in works well enough so that QR code readers can identify the code displayed.

The QR code thumbnail is just one example and since there does not seem to be restrictions in place currently to prevent the thumbnail generation of sensitive information, for instance on financial sites, it is recommended to temporarily fix the issue through other means. The human eye may not be able to identify smaller characters on thumbnails but computer programs can likely be used to make information readable again.

Firefox by default is taking screenshots of visited websites to display thumbnails on the browser's new tab page. This is done to visualize the websites listed on the page. Firefox displays a gray background for https sites by default, but that does not seem to stop the browser from taking a screenshot of -some- https sites as well. It seems that Firefox takes screenshots of https websites if they allow browsers to cache their contents and while that does not remove the gray background image on the new tab page, it means that a thumbnail of the actual site is stored by the browser.

There is no fix right now that prevents the generation of those thumbnails in the browser. While you can turn off the new tab page in the advanced configuration of the browser, it may not be enough to prevent the creation of thumbnail images, especially since it takes a single click on the new tab page interface to activate it again.

There are two options to deal with the issue. You can remove the thumbnails manually from the cache, but that option may require lots of manual work and forgetting to do so once may be enough to leak information.

The second option is to clear the cache of the browser, for instance when you close it so that all generated thumbnails are deleted in the process. You can press Ctrl-Shift-Del at any time to open the Clear all History menu where you can run a cleanup manually.

firefox clear history screenshot

A better option is to configure Firefox to automatically clear the cache on exit. This is done in the options which you can access via Firefox > Options. Here you need to switch to the privacy tab of the browser and switch from Remember History to Use custom settings for history.

Check the "Clear history when Firefox closes" option and click on settings next to it. Make sure cache is selected here. If you use session restore, do not select browsing history as it won't work otherwise.

firefox clear cache on exit screenshot

Keep in mind that thumbnails are still generated while you are using the browser. A side effect of this is that all thumbnail fields will display a gray background instead of the actual thumbnail.

Mozilla can say that they are just following website rules and that is certainly correct. The issue here is though that it makes no sense to create a thumbnail of https sites that allow caching, as they are not used anywhere in the browser.

Update: As Philipp pointed out in the comments below, it is actually possible to disable the creation of thumbnails in Firefox. To do so enter about:config in the browser's address bar and tap on the return key. If this is your first time confirm that you know what you are doing.

Right-click anywhere and select New > Boolean. Type browser.pagethumbnails.capturing_disabled as the value and set it to true.

Update 2: It turns out that Mozilla is saving the thumbnails in a separate directory and not using the cache anymore. To delete the contents of the thumbnails folder, you need to delete thumbnails within manually. Clearing the cache won't delete those thumbnails anymore. On Windows 7, the thumbnails cache folder is located under C:\Users\username\AppData\Local\Mozilla\Firefox\Profiles\random.default\thumbnails

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. RIP Opera Presto said on February 24, 2015 at 2:37 am
    Reply

    Why there is no simple way to add a custom icon/image to those speed dial bookmarks? Why. I can’t understand it.

    It could be “right click → edit → set image url or file”.

    Wasn’t like that on Opera?

  2. Andy said on February 10, 2013 at 9:10 am
    Reply

    There’s a bug, vote for it:

    Expose an option to prevent creation of page thumbnails
    https://bugzilla.mozilla.org/show_bug.cgi?id=793544

  3. BobbyPhoenix said on February 9, 2013 at 2:53 am
    Reply

    That or just make the fist page the thumbnail. I don’t see harm in that. Like when you first go to say: chase.com It would create the thumbnail of the main page only. No sign on data or anything there. I mean everyone can go to that site, so there is nothing anyone can’t see on their own.

  4. Ken Saunders said on February 9, 2013 at 12:05 am
    Reply

    “Do you know if there is a way to configure Firefox to delete the thumbnails folder on exit? The only option that I see right now is to either disable the generation of thumbnails or to delete the contents of the folder manually. A switch to do so automatically would be useful”

    Martin, as you mentioned above, browser.pagethumbnails.capturing_disabled will prevent thumbnails from being created in the future.
    Do you want the thumbnails? I guess if you or others use the new tab page, and/or Panorama, you’d want to keep it set to false.

    If it helps at all, I have a few profiles set for private browsing at all times and none of them have any thumbnails. Perhaps when private browsing mode can be run along side default browser, privacy/security concerns will be eased.
    I’ll have to test that out to make sure that thumbs aren’t captured.

    By the way, the thumbs I have are 640×400, larger than most mobile screens.

    1. Martin Brinkmann said on February 9, 2013 at 1:00 am
      Reply

      I would like to see options implemented to block the generation of thumbnails for https sites, or use a site’s favicon instead as someone else suggested. Another option would be to provide users with options to use their own thumbnails for sites, or simply use smaller thumbnails.

  5. guest said on February 8, 2013 at 12:52 pm
    Reply

    Don’t know how to delete thumbnails on exit..
    I think better approach for FF would be to use fav-icons (larger ones if available) for about:newtab page – privacy & https problems solved.

  6. guest said on February 8, 2013 at 10:27 am
    Reply

    Well, i have “Clear history when Firefox close” enabled for years now (cache checked), thumbnails still generated on about:newtab page…

    1. Martin Brinkmann said on February 8, 2013 at 10:28 am
      Reply

      During the session I presume?

      1. guest said on February 8, 2013 at 11:37 am
        Reply

        No, always. FF added independent from cache thumbnails storage some 3-5 versions ago.

      2. Martin Brinkmann said on February 8, 2013 at 12:20 pm
        Reply

        Thanks for pointing that out. Do you know if there is a way to configure Firefox to delete the thumbnails folder on exit? The only option that I see right now is to either disable the generation of thumbnails or to delete the contents of the folder manually. A switch to do so automatically would be useful.

  7. BobbyPhoenix said on February 8, 2013 at 4:14 am
    Reply

    OK this article has me a bit worried, but I don’t know if I’m understanding it correctly. The harm with having the thumbnail images is because someone can access them through your use of the browser online? As in you visit a site that somehow is infected with some virus or trojan, and because Firefox creates them the site can see and steal them? Is that right? Or do you mean someone needs physical access to the computer and browser? If the second is the case then I’m not that worried. It like when everyone was afraid of their passwords being stolen if someone was on their computer as they could go to settings, and see the passwords by simply opening the password manager. Well of course if you have sensitive data on your computer be it by browser, or a simple document, letting someone use your computer puts everything at risk. Am I understanding this threat correctly? And I’m not trying to be sarcastic. I really want to know what and where the threat is. Thanks.

    1. Martin Brinkmann said on February 8, 2013 at 9:57 am
      Reply

      Bobby, the thumbnails get generated locally and someone needs local access or remote control to get access to them.

  8. philipp said on February 7, 2013 at 11:52 pm
    Reply

    the creation of thumbnails in firefox can also be switched off totally – enter about:config into the firefox location bar (confirm the info message in case it shows up). then right-click somewhere in the page and create a new boolean preference named browser.pagethumbnails.capturing_disabled set to true.

    https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.pagethumbnails.capturing_disabled

    1. Martin Brinkmann said on February 8, 2013 at 12:00 am
      Reply

      Philipp, that’s great, thanks for mentioning that.

  9. Transcontinental said on February 7, 2013 at 11:41 pm
    Reply

    Well if you do use this thumbnail “thing” then it can be problematic, of course.
    Why thumbnails ? History and/ot closed tabs list is far enough, but that’s another approach …
    I know this had been a tough topic a bit everywhere when Firefox 13 proposed the about:newtab, about:home features, but frankly one can live as well with, as the above link pointing to related ghacks article :

    browser.newtab.url”, about:blank
    browser.newtabpage.enabled”, false

    Whatever, I still get the thumbnails folder created in my profile whenever I remove it. Stays empty, always remade, and not on Firefox start : it’s part of a process which keeps running even if you’ve disabled thumbnails catching (browser.newtabpage.enabled set to false) … that’s no good.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.