A newly discovered bug in Netscape Communications Corp.'s Communicator software may enable malicious Webmasters to track the activities of site visitors.
According to Dos Santos, the bugs allow a hacker to grab data that's input by Communicator users, including passwords and credit card numbers. The exploit is similar to previously reported hacks, which involve popping up a second, tiny Web browser that silently sends information back to the attacker's host computer.
Netscape security group leader Taher Elgamal has confirmed that the bug exists, adding that Dos Santos notified the company about it late last week. Elgamal said Netscape is still trying to identify where the flaw lies in the Communicator code and hopes to have details within a day or two.
This is not the first time Dos Santos has reported browser bugs to Netscape. Last March he pointed out Java flaws in Navigator version 3.01 and in Microsoft's Internet Explorer, bugs that were fixed in later versions of those browsers.
Dos Santos says he discovered the bugs in testing a digital library system that's part of his graduate research. Although his latest discovery may earn him $1,000 through Netscape's $1,000 Bug Bounty program, Dos Santos says he's not in it for the money - he's doing it for the sake of future Web users.
Dos Santos has posted information about his various browser-bug discoveries at his Web site (http://www.cs.ucsb.edu/~andre/).