What if I say you that all your search terms are getting leaked? You heard me right, Firefox users started to report the issue that their privacy is been breached. Recently it was reported that all the search term browsed on Firefox were sent to the Internet service provider (ISP).
The issue was first spotted and explained by samduy on Github, another reference of this is spotted on Reddit which explains that even though the DoH is activated still the search terms are been sent to the user’s ISP. Later it was realized that this breach is only been faced for single-word terms and not sentences. This is still disappointing because it is happening without the user’s consent and privacy is been compromised.
Read the below-analysed summary to understand the bug:
- If you search a single-word query, it should be sent in the form of ‘single-word [suffix]’. The suffix then acts as a valid domain and sends a DNS query.
- This DNS query pings back a valid ‘IP address’ that the search engine uses to display the result.
- The current issue with Firefox is, it shouldn’t be sending a suffix. This is resulting in a situation where the suffix isn’t sending a valid IP and noting the ‘search-word’ in plain text.
- Resulting in the DNS query to get logged and sent to the suffix server, in this case, your ISP.
The bug is reported on the Bugzilla and brought it to the notice of Firefox officials hoping for getting it fixed at the earliest. The OP also mentioned on the GitHub page that Google Chrome v81.0.4044.92 (64-bit), you can check this bug to join the discussion.
Stop Firefox from sending search terms to ISPs
In case, if you are an avid user of Firefox and worried about your privacy, then try solution shared by a user in this Firefox bug.
In Firefox browser, you need to visit about:config and click on the I accept the risk button.
In the search bar, you need to look for
browser.fixup.domainwhitelist.localhost and browser.fixup.domainsuffixwhitelist.localhost and set it to False by clicking the Toggle button.
Next, type localhost (without the final slash, remove it if present) and Enter in the urlbar. Now, check if you prompt with the message “Did you mean to go to ‘localhost‘” appear. Close the prompt with the X, or the No Thanks button.
After that following method discussed above, search for browser.urlbar.dnsResolveSingleWordsAfterSearch, when it appears in results, select Number and set its Value 0.
Doing this will fix the issue.
Are you affected by this privacy bug? Did the above solution fix the issue for you? Once the company gives an update on the issue/bug, we will edit this post and let you know.