A serious defect exists in web browsers from Mountain View, California-based Netscape Communications Corp, the CNNfn news service reported on Thursday. The security flaw enables a content provider to filch files from the hard disk of anyone viewing their web pages, without the viewer’s knowledge. CNNfn and PC Magazine have verified that Navigator 2.0 and 3.01 are subject to the problem, and CNNfn states that the final test version of Communicator is also affected. A file’s name must be known before the bug can be exploited to read it; the browsers in question are vulnerable in their default configurations, and internet firewalls offer no protection. Few other technical details are available, in part because Danish software company CaboComm, which discovered the problem, refuses to divulge them for what it describes as Netscape’s insultingly low bug bounty of $1,000 and a T-shirt. CaboComm is instead holding out for either a visit from a Netscape representative – in which case it says details will be provided free – or what it calls reasonable compensation (and Netscape calls an exorbitant sum, and the San Jose Mercury blackmail). CaboComm has said it will neither exploit the bug nor make technical information about it public until Netscape comes to the party. But the Danish company will probably wish it had accepted the money and T-shirt after all, because Netscape said late Friday that it had replicated the bug and promises a fix early this week. Netscape shares closed down $1.06 at $32.25.