Security Experts:

Total Recall - The Details Behind Firefox 16 Recall

Last week, Mozilla removed the latest version of their Firefox Web browser just a day after it was released. The reason? A security vulnerability was discovered after the browser had shipped. Initially, Mozilla did not disclose the technical details of the vulnerability, but laconically stated “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters”. Since Mozilla has given us little to work with, we will dive into the technical details of the vulnerability.

JavaScript and its security

First of all, this issue is a JavaScript vulnerability. JavaScript, a scripting language, is primarily used as a client-side technology to create enhanced user interfaces and dynamic websites. JavaScript allows the programmer to modify the look and feel of a web page, mostly by programmatically adding, removing and modifying HTML elements. In order to support it, the web browser implements a Javascript engine capable of evaluating Javascript code. In fact, JavaScript evaluation has become so critical in the modern web environment that most of the web browser performance is determined by the efficiency of its Javascript engine implementation.

Running code that originates from an untrusted environment such as a web page on the user’s computer is an obvious security risk. According to Wikipedia, “browser authors contain this risk using two restrictions: First, scripts run in a sandbox in which they can only perform web-related actions, not general-purpose programming tasks like creating files. Second, scripts are constrained by the same origin policy: scripts from one website do not have access to information such as usernames, passwords, or cookies sent to another site. Most Javascript-related security bugs are breaches of either the same origin policy or the sandbox.”

In the case of the Firefox 16 vulnerability, the same origin policy is our culprit.

Firefox 16 JavaScript same origin policy vulnerability

The essence of the vulnerability was the fact that Firefox 16 did not properly restrict the cross-domain access of JavaScript, by thus allowing remote attackers to bypass the same origin policy. Specifically, the browser allowed JavaScript from one domain (“website”) to query the URL of a window of another domain, by using the Javascript’s “location” obje

A security researcher has created a Proof of Concept (PoC) web page in order to demonstrate the implications of a possible exploitation of this vulnerability. The PoC reveals the twitter ID of the victim, with some very short malicious Javascript code: When the user browses to the attacker’s web page, a Javascript on that page opens a new browser window with a Twitter’s lists URL (https://twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victim’s personal lists page and the URL now contains the victim’s personal twitter ID (e.g. https://twitter.com/Imperva/lists). The attacker’s Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.

FireFox JavaScript vulnerability

However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victim’s Twitter ID in this case.

The future of JavaScript security

The fierce competition between Web browsers’ vendors has created an “arms race” in which each vendor adds functionality and technologies at an ever growing pace in order to provide a richer web experience for users. Examples of such technologies include (but not limited to): 3D graphics, native video and external devices (webcam, microphone) support. Naturally, the browser vendor makes sure that all of these technologies are made available to the JavaScript programmer for the creation of dynamic pages. Naturally, the addition of complicated code results the addition of bugs, including security bugs.

In the current state of affairs, we should expect more JavaScript vulnerabilities. The Firefox affair is just the tip of the iceberg.

view counter
Tal Be’ery is a Senior Security Research Manager in Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), developing Microsoft Advanced Threat Analytics (ATA). Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). He is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Blackhat and AusCERT and was included by Facebook in their whitehat security researchers list. (Twitter: @talbeerysec)