<br><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>On 2/22/07, Michal Zalewski <<a href="mailto:lcamtuf@dione.ids.pl">lcamtuf@dione.ids.pl
</a>> wrote:<br>> There is an interesting vulnerability in how Firefox handles bookmarks.<br>> The flaw allows the attacker to steal credentials from commonly used<br>> browser start sites (for Firefox, Google is the seldom changed default;
<br>> that means exposure of GMail authentication cookies, etc).<br>><br>> The problem: it is relatively easy to trick a casual user into bookmarking<br>> a window that does not point to any physical location, but rather, is an
<br>> inline data: URL scheme. When such a link is later retrieved, Javascript<br>> code placed therein will execute in the context of a currently visited<br>> webpage. The destination page can then continue to load without the user
<br>> noticing.<br>><br>> The impact of such a vulnerability isn't devastating, but as mentioned<br>> earlier, any attention-grabbing webpage can exploit this to silently<br>> launch attacks against Google, MSN, AOL credentials, etc. In an unlikely
<br>> case the victim is browsing local files or special URLs before following a<br>> poisoned bookmark, system compromise is possible.<br>><br>> Thanks to Piotr Szeptynski for bringing up the subject of bookmarks and
<br>> inspiring me to dig into this.<br>><br>> Self-explanatory demo page:<br>> <a href="http://lcamtuf.coredump.cx/ffbook/">http://lcamtuf.coredump.cx/ffbook/</a><br>><br>> This is being tracked as:<br>
> <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=371179">https://bugzilla.mozilla.org/show_bug.cgi?id=371179</a><br><br>In April, just after MoPHPB, Michal Zalewski is going to plan<br>a Month of Firefox Bugs.
</blockquote><div><br>Oh no!! n3tty does not like that!! :(<br><br></div></div><br>