Comment by gibspaulding
5 years ago
I can't tell from your post if you are surprised by this or just pointing it out for others who would prefer to avoid this sort of tracking, but just to be clear, this is by design:
https://blog.mozilla.org/security/2021/01/26/supercookie-pro...
The creator of supercookie.me made it sound like all versions of FireFox were vulnerable.
It may have been their intention, after reading the bugzilla report they made[1].
> I also think that it would have been appropriate to notify about the ulterior motive behind this defect report at the latest when the paper got published. This underhanded approach of reporting a defect just leaves a bad taste, really. The behavior may be an actual defect in the classical sense, but I'm just wondering what would have happened, had this been addressed "in time" by the developers. It would seem that the researchers would then have triumphantly proclaimed that all major browsers are prone to their newly found attack. Must be somewhat disappointing that it didn't get fixed "in time" to make it into the paper that way
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1618257
Honestly, this is a big deal here. A "security researcher" attempted to _introduce new vulnerabilities_ into a major open source project just so that they could report these vulnerabilities later.
How scammy can research get?
4 replies →
Please note that I've nothing to do with the authors of this paper[1]! ~jonas
[1] https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf
To clarify, falsifying results was never my intention: During my work I tested Firefox (v 84.0) and everything worked fine under Windows & OSX.
Due to your feedback I've updated the table in the GitRepo and the website and added that the current FF version (v 85.0) is no longer vulnerable! ~jonas