Firefox and Chrome browsers have a privacy flaw where the user typed search terms are sent to DNS servers of ISPs, even when Private browsing mode or Privacy-focused search engine DuckDuckGo is used or DNS over HTTPS (DoH) is enabled. Mozilla with the upcoming version Firefox 79, offers a preference for users to control and prevent this from happening, while Google is aware of the issue for the last five years, but it couldn’t work on it recently amid COVID pandemic.
A ‘Privacy leakage’ vulnerability about search term sent to ISP without user consent was reported by a researcher on April 13, 2020, to Mozilla, and Google, the researcher disclosed the bug recently after two months as the browser vendors failed to act on in the stipulated time.
It is the default behavior of Chrome and Firefox to query one of DNS servers of ISPs for single word searches to obtain IP address with DNS suffix set for ISP’s server address.
The search term with multiple words won’t be sent to ISPs, however.
For instance, the search for ‘sensitive’ and ‘very-sensitive-word ‘ in the address bar will get you the search results from the search engine, but the search terms will also be sent to ISP, which you can find in DNS log if enabled.
According to the researcher, Chrome 81 and Firefox 75 are affected, he says the latest versions also mostly affected and we at Techdows can confirm that’s true. According to our findings, Chrome 83 and Firefox 77 are sending one-word searches to ISP.
Impact/risk: User search activities can be tracked by ISP and a malicious actor on the network can set up a rogue DNS server and “use his search history for malicious purposes (e.g. selling data, advertising, ransom)”.
Google said a similar issue was reported back in April 2015 and they’re aware of it and couldn’t manage to work on it due to recent situations.
You can see Mozilla’s discussion on this issue here. Good news for Firefox users is Mozilla is offering a pref in the Firefox 79, (also available in Firefox 78 beta) to manage this.
To stop Firefox from sending search terms to ISPs
1. Visit about: config
2. Search for “single”
3. Change the following pref value to 0 for Firefox to “never resolve” the DNS query.
browser.
Firefox has a default value 1 set to “Use heuristics”, setting the pref value to 2 “always resolve” the DNS Query.
We can confirm changing the above pref value to zero worked as expected as we couldn’t find the search terms in the DNS log.
You can also verify this. For that, enable DNS Logging in Windows 10 by opening
EventViewer > Applications and Service Logs > Microsoft > Windows > DNS Client events, right-click on Operational and select “Enable log”
Related articles:
You can now enable Dynamic First Party Isolation in Firefox 77
Mozilla Firefox to enable DNS over HTTPS (DoH) by default in the US
Microsoft Edge now Preloads pages like Chrome, for faster browsing