It’s been an interesting couple of days for Firefox users. First Mozilla released version 16 of the popular browser on Wednesday, then quickly pulled it back yesterday after a serious security vulnerability was found in the new version. Less than 12 hours later, Mozilla had repaired the problem and re-released the updated browser, but not before exploit code was released.
Imperva, meanwhile, explained how the exploit would be carried out. A user would have to land on the attacker’s site. The attacker would then open a new browser window in Twitter; if the victim is signed in, they would be redirected to a URL that contains a personal Twitter ID. The attacker would then be able to query the new window and grab the victim’s Twitter ID, Imperva said.
Coates’ initial post on the Firefox blog indicated Mozilla had no indication the vulnerability was being exploited in the wild.