- Nov 10, 2017
- 3,250
More information
blog/firefox/privacy-leakage at master · samduy/blog
Findings, bugs, disclosures, some other stuff... written by me. - samduy/blog
github.com
[Bug] Chrome & Firefox privacy leakage: search term is sent to ISP without user's consent
- Thread starter CyberTech
- Start date
More information
github.com
- Apr 1, 2019
- 2,808
- Jul 27, 2015
- 5,459
- Mar 29, 2018
- 7,136
### TimelineAnd yet again Chrome doesn’t look so bad
- 2020/04/13: Sent bug reports to both Firefox (at security () mozilla org)
and [Chrome](1070282 - chromium - An open-source project to help move the web forward. - Monorail).
- 2020/04/14: Google team replied. There was a similar bug ([#479620](
479620 - chromium - An open-source project to help move the web forward. - Monorail)) in their bug-tracking system but no-one had
fixed yet. No responses from Firefox team.
- 2020/05/13: Sent another reminder to Firefox team at email address:
security () mozilla org.
- 2020/05/31: Still no responses from Firefox team.
- 2020/06/01: Bug disclosure to public.
- Aug 22, 2013
- 830
Bugs of this kind calls for the use of a good quality router (which can use doH) in between your ISP provided modem and your pc/other devices. ISPs these days provide a locked down modem with their own dns configuration which we can't change. (I argued with my ISP, just to hear what they say, that I have paid for my modem and I need it to run my specific dns configuration, to which they replied that they need to filter some address as per law and they can't do nothing regarding this.) Everything for sake of law..my f**t.
Firefox doesn't care a long time ago about user privacy. They're only interested in making money and marketing with misinformation.
- May 13, 2017
- 2,509
You can say that again: DoH + DDG = Fail! The new Windows will take care of it, when DoH will be enabled, but still, this should not be possible, unless ... .
And what about, when the user searches from the webpage itself and not from the address bar? The search term is still included within the URL.
- 2020/06/01: Public disclosure.
- 2020/06/02: A person from Firefox team replied. They are responding to the issue at (1642623 - User's search term is accidentally sent to ISP without user's consent.).
blog/firefox/privacy-leakage at master · samduy/blog
Findings, bugs, disclosures, some other stuff... written by me. - samduy/blog
github.com
- Apr 1, 2019
- 2,808
Sleepily missed that. Doesn’t matter for me, my router forces it’s DNS resolver on all requests.
- Apr 1, 2019
- 2,808
- Jan 8, 2011
- 22,361
If it's a
bug that affects both Chrome and Firefox, then aren't you spreading misinformation about Firefox?This wasn't about this bug here but generally about Mozilla.
But even without that fact, Mozilla answer a lot too late. This just confirm how bad they handle security.
Also see Firefox and Chromium Security | Madaidan's Insecurities
- Aug 17, 2014
- 10,210
Firefox to allow users to disable sending of search terms to ISPs, Chrome has no fix for now.
Firefox and Chrome browsers have a privacy flaw where the user typed search terms are sent to DNS servers of ISPs, even when Private browsing mode or Privacy-focused search engine DuckDuckGo is used or DNS over HTTPS (DoH) is enabled. Mozilla with the upcoming version Firefox 79, offers a...
techdows.com
- Apr 1, 2019
- 2,808
In reviewing the documentation on this it doesn't seem as severe as the title makes it out. It is only single word search terms including hyphenated terms. This can easily be mitigated in the short term by not using the url bar to search, or at least not when using single word searches. Good on Firefox for offering to disable it. But, maybe a best practice is to go to the search engine you want to use instead of using the url bar (inconvenient, but minor).
- Jun 23, 2018
- 434
Having enabled DNS logging, I'm seeing full domain names (not single-word queries) being sent to my ISP, even though I have DOH in Firefox set to trr 3 (no fallback).
- Jun 24, 2016
- 2,400
So, as far as I understand, a VPN would also be useless since it would encrypt the traffic A to B but the servers still retrieve the end communication input (a.k.a the searched term). Am I right?
- Apr 1, 2019
- 2,808
The browser shouldn’t see your ISP prior to talking to your router/modem. Your ISP should only see you pointing at the VPN IP address, and with the browser looking through that tunnel they shouldn’t see the ISP at all?. As far as the browser is concerned the VPN is your ISP? I would think a VPN would help in this situation. Especially if the VPN runs their own recursive servers. But, maybe this is beyond my understanding.
Last edited:
- Apr 1, 2019
- 2,808
- Aug 22, 2013
- 830
Install Yoga dns and enable any doh provider ( i prefer next dns), block all tcp/udp over port53. Now dns queries will go through port 443 isp wont be able to see that. another way is to use a router with DOH capability ( DDwrt, asus wrt merlin-provide dot support-, Mikrotik hap ac, mikrotik hap ac2, ) or use linux and install cloudflared.
- Jun 23, 2018
- 434
Unfortunately, yes, because the router is provided and maintained by the building where I live.
Thanks for the info. I was wondering about something like that or Acrylic DNS.
Similar threads
