pdp has a new post on his site about Firefox. SC Magazine has picked it up for an article on their site.
From SC Magazine:
“[Firefox has] a design implementation that I believe could lead to a lot of websites and browser extensions being compromised, which could lead to the browser being compromised as well,” researcher Petko Petkov told SCMagazineUS.com after revealing the flaw on Gnucitizen’s blog.
“Attackers are able to launch cross-site scripting (XSS) attacks from any origin (kind of like universal XSS) or escalate their privileges to chrome (not trivial) by tricking the victim into performing an action, such as clicking on a link,” he said on the blog of Gnucitizen, a penetration-testing organization.
Firefox, unlike the Opera and Safari browsers, “treats data URLs like JavaScript URLs,” giving data URLs enhanced privileges that can compromise the browser, he said.
“The problem is that developers are familiar [with] the dangers of JavaScript URLs, therefore they sanitize them (try to escape or remove them from the user input),” he added. “On the other hand, data URLs are taken lightly mainly because, in the past, they were not given the same privileges as JavaScript URLs.”
Petkov called the flaw a “medium-risk” vulnerability.
Tags: pdp, Firefox Design Flaw, Firefox Security
Explore
Security Bloggers Network
