Attack code for Firefox 16 privacy vulnerability now availab
Source: Dan Goodin
Attack code that exploits a privacy information leak introduced in the latest version of Firefox is available online, making it easy for malicious websites to gather detailed information about users' browsing history unless they downgrade to the previous Mozilla release.
As previously reported, Mozilla officials took the unusual step of temporarily removing Firefox 16 on Wednesday, just one day after its release. Company officials warned that a security hole introduced in the release "could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters." They went on to say there was no evidence the vulnerability was being exploited by real-world attackers. Update: Mozilla has released Firefox 16.0.1 for Android on Google Play, and Firefox 16.0.1 for desktops appears to be available by FTP.
Mozilla's advisory came several hours after a JavaScript blogger published a post titled "Firefox knows what your friends did last summer." In it, he reported some curious behavior in the latest version of the open-source browser, where an undefined value is converted to a string inside a native function. In short order, he was able to take advantage of his discovery to fashion proof-of-concept code that forced Firefox 16 to identify a visitor's Twitter handle whenever the user was logged in to the site. The eight-line code sample takes about 10 seconds to reveal the username, and it wouldn't be hard for developers to expand on that code to create attacks that extract personal information contained in URLs from other websites.
Until a few years ago, Firefox, Internet Explorer, and most other browsers suffered from a decade-old weakness that allowed websites to extract a visitor's browsing history by manipulating the cascading style sheet technology that causes visited links to appear in a different color than addresses that haven't been visited. In late 2010, security researchers reported that YouPorn and 45 other sites actively exploited the weakness to pilfer visitors' browsing habits. Jon Oberheide, CTO of mobile firm Duo Security, said the vulnerability in Firefox 16 is likely more serious because it doesn't require attackers to use a predetermined list of sites to make guesses about where a victim has browsed.
"It appears that this vulnerability allows access to the full URL of an entry in the browser history, without actually having to know that full URL in advance," he told Ars. "In the proof of concept, you can see he's doing a regex match to grab the user's twitter username."
Readers who are still using Firefox version 15.0.1 should take no action. Those whose browsers have already updated to version 16 should roll back by downloading version 15.0.1 here.
| }
|