[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox
- To: "'full-disclosure@xxxxxxxxxxxxxxxxx'" <'full-disclosure@xxxxxxxxxxxxxxxxx'>
- Subject: [Full-disclosure] Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox
- From: Context IS - Disclosure <disclosure@xxxxxxxxxxxxxxx>
- Date: Wed, 4 Nov 2009 18:35:00 +0000
===============================ADVISORY===============================
Name: Autocomplete Data Theft in Mozilla Firefox
Systems Affected: Mozilla Firefox 3.5, Mozilla Firefox 3.0
Severity: Moderate
Category: Data Leakage
Author: Context Information Security Ltd
Advisory: 4 November 2009
CVE: CVE-2009-3370
===============================ADVISORY===============================
Description:
------------
A malicious web page can extract out all the data stored within the
autocomplete history of a user's Firefox browser. The web page must convince a
user to hold down the left or right-arrow keys then the contents of the
autocomplete popup can be read. This may includes the search history box within
the browser, or other personal details.
Analysis
--------
A malicious web page can be created that includes a text field with the same
'name' attribute as data entered on other sites (e.g 'q' for Google). The form
autocompletion popup in Firefox can then be triggered and manipulated by a
variety of key presses. For example, by pressing the 'a' key, autocomplete
entries starting with that letter will be shown. Entries in the poupup can be
selected by using the up/ down arrow keys. When the left or right arrow key is
pressed, the currently selected entry from the popup is entered into the text
field and can be read through JavaScript.
In Firefox, a web page can use the 'createEvent' and 'initKeyEvent' JavaScript
methods to create synthetic key events. It was discovered that these events
could be used to trigger an autocomplete popup and change the currently
selected entry in the popup.
However, it was not possible for synthetic events to cause the text field to be
filled with the current entry. Therefore some user interaction is required to
enable the web page to steal the contents of the drop-down. If a web page can
convince a user to hold down or repeatedly press the left or right-arrow keys,
it can systematically grab each entry in the drop-down box.
Technologies Affected
---------------------
Mozilla Firefox 3.5.3 and below
Mozilla Firefox 3.0.0.14 and below
Resolution
----------
Mozilla fixed this issue in the 3.5.4 and 3.0.0.15 releases of Firefox:
http://www.mozilla.org/security/announce/2009/mfsa2009-52.html
CVE
---
This issue has been assigned CVE number CVE-2009-3370.
Disclosure Timeline
-------------------
8th August 2009 - Initial Discovery and Vendor Notification 8th August 2009 -
Vendor Response
27 October 2009 - Vendor Advisory Release
4 November 2009 - Context Information Security Advisory Release
Credits
-------
Paul Stone of Context Information Security Ltd
About Context Information Security
----------------------------------
Context Information Security Limited is a specialist information security
consultancy based in London and Dusseldorf.
Context promotes the holistic approach to information security and helps
clients to identify, assess and control their exposure to risk within the
fields of IT, telephony and physical security. Context employs experienced
information security professionals who are subject-matter experts in their
various technical specialisms. Context works extensively within the finance,
legal, defence and government sectors, delivering high-end information security
projects to organisations for which security is a priority.
Web: www.contextis.co.uk
Email: disclosure@xxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/