Security Experts:

Researcher Rewarded for XSS in Mozilla Add-ons Site

Mozilla has awarded a researcher $2,500 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability affecting the company’s add-ons website.

Ashar Javed, a penetration tester at Hyundai AutoEver Europe, identified a total of three XSS vulnerabilities on Mozilla’s websites.

The most serious of the issues is a stored XSS found in Mozilla’s add-ons site, more precisely in the collections feature, which is designed to allow users to create and share groups of similar add-ons.

When users create a collection, they have to enter a name, a description and specify the add-ons that will be in the collection. The expert discovered that the “name” field was plagued by a stored XSS that could have been exploited to execute arbitrary JavaScript code. The flaw existed because Mozilla failed to properly filter the “<” character, allowing attackers to construct a payload such as </title><svg/onload =confirm(document.domain)//.

According to Javed, an attacker could have exploited the vulnerability to serve malware or for other malicious purposes simply by tricking the victim into accessing the URL of a malicious collection.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

One way to get users to trigger the malicious code would be to post comments on the pages of popular add-ons with links to the attacker’s collection, Javed said.

The researcher reported the vulnerability to Mozilla on December 26 and a fix was rolled out on January 7. The organization awarded the researcher $2,500 for the flaw, which he claims to have found within minutes.

The other two XSS flaws found by Javed on Mozilla websites, namely the add-ons and the support sites, have been classified as low risk and still haven’t been fixed. The expert told SecurityWeek that these are self-XSS bugs, which Mozilla is currently working to patch.

This was not the first time Javed received a significant bounty for an XSS vulnerability. In October, the expert said Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.

Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks

Related Reading: Flaw in SAP Firm's XSS Filter Exposed Many Sites to Attacks

view counter