A Debian bug report  indicated that surf would create the cookies storage file with world readable permissions. This could allow other local users to steal cookies if the user had non-default permissions on their home directory (by default, home directories are mode 0700 but may be 0755 in some cases, like for Apache user directories).
$ ls -al ~/.surf/
drwxr-xr-x. 2 parallels parallels 4096 Feb 9 21:14 .
drwx------. 22 parallels parallels 4096 Feb 9 21:14 ..
-rw-rw-r--. 1 parallels parallels 312 Feb 9 21:14 cookies.txt
Created surf tracking bugs for this issue
Affects: fedora-all [bug 789197]
This was assigned the name CVE-2012-0842:
fixed in surf 0.5
surf is now 0.5-1 in fedora
Updated by François Cami
Available in rawhide and fedora-18-updates
!!!Thank you for this bug report!!!
Thank you for the heads-up, Simon.