dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
9

therube
join:2004-11-11
Randallstown, MD

therube to siljaline

Member

to siljaline

Re: Mozilla Firefox 16.0.1 Final

Thanks for that.
quote:
When the user browses to the attacker’s web page, a Javascript on that page opens a new browser window with a Twitter’s lists URL (»twitter.com/lists). If the victim is signed in to Twitter, then the window is automatically redirected by Twitter to the victim’s personal lists page and the URL now contains the victim’s personal twitter ID (e.g. »twitter.com/Imperva/lists). The attacker’s Javascript now queries the new window for its URL by using the location object. On previous versions, the same origin policy had failed such requests.

However, in Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing the leakage of personal data such as the victim’s Twitter ID in this case.

So that's why the POC didn't work for me when I tried it. I don't twit!
(Now I might just sign up for Twitter just to see what it does, nah.)

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

said by therube:

Thanks for that.

Jiggy-doo

therube
join:2004-11-11
Randallstown, MD

therube

Member

> Stupid testcase showing complete lack of even rudimentary security checks here

> One thing I can't understand is how we could possibly not have had a test for this

Bug 799952 - (CVE-2012-4192) Cross domain access to the location object