Netscape Communications has a fix for a potential security flaw in its Communicator software that leaves the URLs stored in the browser's cache vulnerable to the eyes of outsiders.
If the URLs include private information such as credit-card data, that information is also available to others.
Donna Sokolsky, a spokeswoman for the firm, said the problem was corrected Monday evening and that a fix would be posted within the next few days, after it was thoroughly tested. In the meantime, she recommended that customers clear their browser caches and then set the cache size to zero.
Computer consultant Dan Brumleve in Sunnyvale, Calif., said he discovered the flaw in Netscape Communicator 4.05 on August 23. He wrote a single CGI script, dubbed Cache-Cow, that exploits the security hole. Cache-Cow allows the user to view the URLs in someone else's browser cache.
Brumleve offers a demonstration of Cache-Cow on his Web site, along with the following warning: "When you click this link, your browser will send its cached URLs to this HTTP server, which will then write them to a local file and return them back to you as evidence of its functionality. This is very bad for anyone who operates under the assumption that their Web browsing activities are private."
Sokolsky downplayed the security risk, however.
"The problem is not a security flaw -- it's really a potential privacy bug" that would let people read a directory of a cached file, she said. The problem doesn't allow someone to "view a user's hard drive, run any programs, see any passwords, files or plant a virus of any kind."