Earlier today I posted an item about the “link prefetch” feature recently introduced in Firefox and used by Google for all searches run using Firefox.
To see exactly how this works, I performed a simple experiment.
First, I completely deleted the contents of the Cache folder in my Firefox profile. I left the directory window visible on the screen, opened Firefox, and went to the Firefox home page. After it finished loading, I refreshed the contents of the Cache folder window and observed that there were now a few small files there.
Next, I created a simple HTML page consisting of a single sentence. That sentence contained a hyperlink to a large (2.56MB) executable file on a third-party Web site. In the source code for the page I created, just before the hyperlink, I added a LINK tag using the REL=”prefetch” type, as documented in the Mozilla Link Prefetching FAQ. I uploaded this page, which was 369 bytes in size, to my Web site.
Finally, I returned to Firefox and typed in the URL of the test page I created. My tiny page loaded immediately, and over the course of the next few seconds I watched one file in the Cache folder grow to approximately 2.6MB in size. When I clicked the link to the executable file on my test page, the Firefox Downloads window appeared and almost instantly displayed the message that the download was complete. That’s not surprising, because the executable file was already in my cache.
Let me repeat that: I clicked on a link in one page, and Firefox silently, without any indication to me, downloaded a large executable file in the background and placed it in my browser’s cache.
I repeated the experiment with a much larger executable file (10MB) from a different third-party Web site, using a completely clean Firefox profile. Same result.
If you were to click on the link to my test page using Firefox, that executable code would be on your computer, downloaded from a site you never chose to visit. Now, let me be clear: That code isn’t an immediate danger. There’s no way I’m aware of for it to execute. At least not now. But if I were a bad guy, I’d be working my tail off to figure out how to get that code to execute – or to trick you into running it. I’d also be looking at other creative ways to exploit the fact that I can get you to download scripts and other content from a third-party site that you never even realized you visited. And I would surely be thinking of how I could get my pages to appear at the top of a Google search window, where they would automatically be prefetched by Firefox.
This is not a good thing.
Update: In a comment to my previous post, Alex Halderman, a PhD student in computer science at Princeton, notes that the privacy issue is a legitimate one but the security issue is less worrisome than I might fear. He writes:
There are lots of ways a site can cause your browser to load a page from another site without your knowledge: JavaScript tricks, hidden frames, etc. For legitimate uses, prefetching is preferable to these other methods, since the browser can be smart about only prefetching during idle periods. Disabling the prefetch feature will preclude these benefits without actually preventing malicious sites from loading remote pages.
On the other hand, well intentioned sites like Google need to be careful about what prefetching they cause for precisely the reasons Ed cites. Google’s users trust it not to place embarrassing content in their caches or to connect their browsers to disreputable sites. Google says only certain sites are prefetched, and I’ll bet these concerns enter into their selection algorithm.
Prefetching is also unlikely to exacerbate a vulnerability that “allows code to be executed automatically from a page that triggers a buffer overflow or exploits an unpatched scripting exploit.” The prefetched page is not rendered and any scripts it contains are not interpreted until the user actually follows a link to it. Only the HTTP and caching code is exposed to the prefetched data, and these relatively simple modules are less likely to contain exploitable holes.
I missed the part where Google says only certain sites are prefetched. I’ll have to look more closely at that.
Update 2: OK, I looked at the Google FAQ for Webmasters, which says, “Google only inserts this tag when there is a high likelihood that the user will click on the top result, but clearly this heuristic is not right 100% of the time.” I don’t see anything that suggests any concern for the privacy of the user or whether the content in the top-rated link is work-safe.
Update 3: Some interesting discussion of the issue here.
Ed Bott 
https://bugzilla.mozilla.org/show_bug.cgi?id=309776
Goto Google. Search for ‘selinux’.
You now have a Cookie from NSA.gov, and your Firefox browser has downloaded http://www.NSA.gov. Nice implementations of privacy Firefox team. Good job.