Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Total Recall – The Details Behind Firefox 16 Recall

Last week, Mozilla removed the latest version of their Firefox Web browser just a day after it was released. The reason? A security vulnerability was discovered after the browser had shipped.

Last week, Mozilla removed the latest version of their Firefox Web browser just a day after it was released. The reason? A security vulnerability was discovered after the browser had shipped. Initially, Mozilla did not disclose the technical details of the vulnerability, but laconically stated “The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters”. Since Mozilla has given us little to work with, we will dive into the technical details of the vulnerability.

JavaScript and its security

First of all, this issue is a JavaScript vulnerability. JavaScript, a scripting language, is primarily used as a client-side technology to create enhanced user interfaces and dynamic websites. JavaScript allows the programmer to modify the look and feel of a web page, mostly by programmatically adding, removing and modifying HTML elements. In order to support it, the web browser implements a Javascript engine capable of evaluating Javascript code. In fact, JavaScript evaluation has become so critical in the modern web environment that most of the web browser performance is determined by the efficiency of its Javascript engine implementation.

Running code that originates from an untrusted environment such as a web page on the user’s computer is an obvious security risk. According to Wikipedia, “browser authors contain this risk using two restrictions: First, scripts run in a sandbox in which they can only perform web-related actions, not general-purpose programming tasks like creating files. Second, scripts are constrained by the same origin policy: scripts from one website do not have access to information such as usernames, passwords, or cookies sent to another site. Most Javascript-related security bugs are breaches of either the same origin policy or the sandbox.”

In the case of the Firefox 16 vulnerability, the same origin policy is our culprit.

Firefox 16 JavaScript same origin policy vulnerability

The essence of the vulnerability was the fact that Firefox 16 did not properly restrict the cross-domain access of JavaScript, by thus allowing remote attackers to bypass the same origin policy. Specifically, the browser allowed JavaScript from one domain (“website”) to query the URL of a window of another domain, by using the Javascript’s “location” obje

A security researcher has created a Proof of Concept (PoC) web page in order to demonstrate the implications of a possible exploitation of this vulnerability. The PoC reveals the twitter ID of the victim, with some very short malicious Javascript code: When the user browses to the attacker’s web page, a Javascript on that page opens a new browser window with a Twitter’s lists URL (https://twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victim’s personal lists page and the URL now contains the victim’s personal twitter ID (e.g. https://twitter.com/Imperva/lists). The attacker’s Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.

FireFox JavaScript vulnerability

However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victim’s Twitter ID in this case.

The future of JavaScript security

The fierce competition between Web browsers’ vendors has created an “arms race” in which each vendor adds functionality and technologies at an ever growing pace in order to provide a richer web experience for users. Examples of such technologies include (but not limited to): 3D graphics, native video and external devices (webcam, microphone) support. Naturally, the browser vendor makes sure that all of these technologies are made available to the JavaScript programmer for the creation of dynamic pages. Naturally, the addition of complicated code results the addition of bugs, including security bugs.

In the current state of affairs, we should expect more JavaScript vulnerabilities. The Firefox affair is just the tip of the iceberg.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.