I just read a shock­ing post over at The Hack­er Webzine. I’ll just quote the whole post:

I’ve been away a cou­ple of days, and today I found some­thing quite dis­turb­ing in Fire­fox. It is pos­si­ble to read all vari­ables that are set inside Fire­fox. That’s right: ALL vari­ables and reg­is­tered objects that are present inside Javascript files and on run­time. It’s even pos­si­ble to call cer­tain func­tions. That ranges from local Mozil­la con­fig files to all exten­sions reg­is­tered inside Fire­fox. The exam­ple below will show you a list of a cou­ple vari­ables that were set. Note: it is pos­si­ble to active­ly scan vari­ables and hijack them when you need to. I’ve test­ed this against my own Fire­fox exten­sion called: Fire Encrypter. And I was able to steal a dynam­i­cal­ly gen­er­at­ed pass­word suc­cess­ful­ly.

It basi­cal­ly means that every­one can probe all Javascript files inside the chrome:// con­text and log all this infor­ma­tion on the serv­er through a sim­ple Ajax instance. Fur­ther­more it is only pos­si­ble to call unreg­is­tered func­tions, like those that are set inside exten­sions by devel­op­ers. This could lead to denial of ser­vice on func­tion calls, pri­va­cy breach, infor­ma­tion dis­clo­sure, and maybe more unseen or unknown attacks. Please do note that this is actu­al­ly a semi-fea­ture since exten­sions them self need to com­mu­ni­cate through the chrome, so this could be very hard to “fix”

Does the quot­ed post sound scary? The exam­ple page says:

The list below is a sta­t­ic vari­able and object dump.
All objects con­tain vari­ables as well, and are not list­ed. (would be too huge).

You might want to install NoScript, or use Opera since I am not sure yet how this could lead to fur­ther more clever attacks since func­tion calls are also pos­si­ble
For what it’s worth: con­sid­er Javascript dead, it’s just too risky.

You bet­ter install the NoScript Fire­fox exten­sion if you aren’t already using it.

Tagged with →  
Share →