I just read a shocking post over at The Hacker Webzine. I’ll just quote the whole post:

I’ve been away a couple of days, and today I found something quite disturbing in Firefox. It is possible to read all variables that are set inside Firefox. That’s right: ALL variables and registered objects that are present inside Javascript files and on runtime. It’s even possible to call certain functions. That ranges from local Mozilla config files to all extensions registered inside Firefox. The example below will show you a list of a couple variables that were set. Note: it is possible to actively scan variables and hijack them when you need to. I’ve tested this against my own Firefox extension called: Fire Encrypter. And I was able to steal a dynamically generated password successfully.

It basically means that everyone can probe all Javascript files inside the chrome:// context and log all this information on the server through a simple Ajax instance. Furthermore it is only possible to call unregistered functions, like those that are set inside extensions by developers. This could lead to denial of service on function calls, privacy breach, information disclosure, and maybe more unseen or unknown attacks. Please do note that this is actually a semi-feature since extensions them self need to communicate through the chrome, so this could be very hard to “fix”

Does the quoted post sound scary? The example page says:

The list below is a static variable and object dump.
All objects contain variables as well, and are not listed. (would be too huge).

You might want to install NoScript, or use Opera since I am not sure yet how this could lead to further more clever attacks since function calls are also possible
For what it’s worth: consider Javascript dead, it’s just too risky.

You better install the NoScript Firefox extension if you aren’t already using it.

Tagged with →  
Share →
%d bloggers like this: