Vulnerablility discovered in how Firefox handles bookmarks
Michal Zalewski has discovered an interesting vulnerability in how Firefox handles bookmarks.
It is relatively easy to trick a casual user into bookmarking a window that does not point to any physical location, but rather, is an inline data: URL scheme otherwise convincingly pretending to be a “tangible” webpage.
When the bookmark is later clicked, javascript code within the link will execute in the context of a last visited webpage. Actually this is a technique used by a legitimate mechanism of bookmarklets except that bookmarklets don’t attempt to camouflage as a webpage, cannot be normally added with Ctrl-D alone, and are expected to be entered and invoked as a conscious user action instead.
Zalewski says the vulnerability is not really devastating but warns that any attention-grabbing webpage can spawn such a window for the user to bookmark, and then exploit this to launch attacks against, for example, common start pages such as Google, MSN, or AOL, possibly stealing credentials for services such as Google Mail. In an unlikely case the victim is browsing local files or special URLs, system compromise is possible.
You can follow the following steps to see a demo of the vulnerability:
- Click here to begin the test.
- Follow the displayed instructions: bookmark the page, close the window.(…later…)
- Visit Google.com homepage.
- Open your bookmarks, choose the recently added entry (“Amazingly cool page!”).
Depending on the outcome of this test, you will be taken back to an appropriate page on this server.
Last news is that Mozilla’s security response team is working on a fix.
If you're new here, you may want to subscribe to my RSS feed or get updates through email. Thanks for visiting!
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment