Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Total Recall – The Details Behind Firefox 16 Recall

Last week, Mozilla removed the latest version of their Firefox Web browser just a day after it was released. The reason? A security vulnerability was discovered after the browser had shipped.

Last week, Mozilla removed the latest version of their Firefox Web browser just a day after it was released. The reason? A security vulnerability was discovered after the browser had shipped. Initially, Mozilla did not disclose the technical details of the vulnerability, but laconically stated “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters”. Since Mozilla has given us little to work with, we will dive into the technical details of the vulnerability.

JavaScript and its security

First of all, this issue is a JavaScript vulnerability. JavaScript, a scripting language, is primarily used as a client-side technology to create enhanced user interfaces and dynamic websites. JavaScript allows the programmer to modify the look and feel of a web page, mostly by programmatically adding, removing and modifying HTML elements. In order to support it, the web browser implements a Javascript engine capable of evaluating Javascript code. In fact, JavaScript evaluation has become so critical in the modern web environment that most of the web browser performance is determined by the efficiency of its Javascript engine implementation.

Running code that originates from an untrusted environment such as a web page on the user’s computer is an obvious security risk. According to Wikipedia, “browser authors contain this risk using two restrictions: First, scripts run in a sandbox in which they can only perform web-related actions, not general-purpose programming tasks like creating files. Second, scripts are constrained by the same origin policy: scripts from one website do not have access to information such as usernames, passwords, or cookies sent to another site. Most Javascript-related security bugs are breaches of either the same origin policy or the sandbox.”

In the case of the Firefox 16 vulnerability, the same origin policy is our culprit.

Firefox 16 JavaScript same origin policy vulnerability

The essence of the vulnerability was the fact that Firefox 16 did not properly restrict the cross-domain access of JavaScript, by thus allowing remote attackers to bypass the same origin policy. Specifically, the browser allowed JavaScript from one domain (“website”) to query the URL of a window of another domain, by using the Javascript’s “location” obje

A security researcher has created a Proof of Concept (PoC) web page in order to demonstrate the implications of a possible exploitation of this vulnerability. The PoC reveals the twitter ID of the victim, with some very short malicious Javascript code: When the user browses to the attacker’s web page, a Javascript on that page opens a new browser window with a Twitter’s lists URL (https://twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victim’s personal lists page and the URL now contains the victim’s personal twitter ID (e.g. https://twitter.com/Imperva/lists). The attacker’s Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.

Advertisement. Scroll to continue reading.

FireFox JavaScript vulnerability

However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victim’s Twitter ID in this case.

The future of JavaScript security

The fierce competition between Web browsers’ vendors has created an “arms race” in which each vendor adds functionality and technologies at an ever growing pace in order to provide a richer web experience for users. Examples of such technologies include (but not limited to): 3D graphics, native video and external devices (webcam, microphone) support. Naturally, the browser vendor makes sure that all of these technologies are made available to the JavaScript programmer for the creation of dynamic pages. Naturally, the addition of complicated code results the addition of bugs, including security bugs.

In the current state of affairs, we should expect more JavaScript vulnerabilities. The Firefox affair is just the tip of the iceberg.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.