 therube
join:2004-11-11
Randallstown, MD | reply to siljaline
Re: Mozilla Firefox 16.0.1 Final Thanks for that.
quote:
When the user browses to the attacker’s web page, a Javascript on that page opens a new browser window with a Twitter’s lists URL (»twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victim’s personal lists page and the URL now contains the victim’s personal twitter ID (e.g. »twitter.com/Imperva/lists). The attacker’s Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.
However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victim’s Twitter ID in this case.
So that's why the POC didn't work for me when I tried it. I don't twit!
(Now I might just sign up for Twitter just to see what it does, nah.) |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
| Jiggy-doo  |
|
therube
join:2004-11-11
Randallstown, MD | reply to therube
> Stupid testcase showing complete lack of even rudimentary security checks here
> One thing I can't understand is how we could possibly not have had a test for this
Bug 799952 - (CVE-2012-4192) Cross domain access to the location object |
|
therube
join:2004-11-11
Randallstown, MD | reply to StuartMW
Can't say I agree with his summary, "The future of JavaScript security". |
|
siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 Reviews:
·Bell Sympatico
| reply to StuartMW
Another way of putting the Beta business model is:
It's available for pre-release testing [...]
»blogs.msdn.com/b/ie/archive/2012···ber.aspx |
|
|
|
