It’s been an interesting couple of days for Firefox users. First Mozilla released version 16 of the popular browser on Wednesday, then quickly pulled it back yesterday after a serious security vulnerability was found in the new version. Less than 12 hours later, Mozilla had repaired the problem and re-released the updated browser, but not before exploit code was released.
The attack exploits an issue where Firefox was exposing URL information across Web domains by not restricting Javascript’s location method. Mozilla director of security assurance Michael Coates said the vulnerability could allow a malicious website to determine which websites a user had surfed to and would leak URL information.
Eight lines of exploit code then appeared on a UK Javascript blog. The author discovered a problem where an undefined value was converted to a string inside a native function, a condition that could be abused, the author surmised. The author decided to test his short Javascript proof-of-concept on Twitter to determine if he could identify the user’s Twitter handle.
Imperva, meanwhile, explained how the exploit would be carried out. A user would have to land on the attacker’s site. The attacker would then open a new browser window in Twitter; if the victim is signed in, they would be redirected to a URL that contains a personal Twitter ID. The attacker would then be able to query the new window and grab the victim’s Twitter ID, Imperva said.
Coates’ initial post on the Firefox blog indicated Mozilla had no indication the vulnerability was being exploited in the wild.