Firefox hack can expose your Google account
While Firefox is touted as the safest web browser in the marketplace, even it has its vulnerabilities.
GNUCitizen.org has discovered a way for malicious JAVA scripts to be hidden in a page that will be automatically extracted by Firefox’s JAVA reader. There is an easy fix if you install the NoScript Firefox extension, but this means that you’ll be running absolutely no scripts, making for a far more boring web browsing experience.
Bedford.org (currently unresponsive at the time of this writing) has followed the concept, and has posted proof-of-concept images of how this could be used to access a Gmail account. Once in, they were able to manipulate the contacts and access all the emails. They have also discovered this same hack can be used to access a large number of collaborative style websites.
It has been eight days since the security flaw was revealed and Mozilla, the development company behind Firefox, has not yet issued a fix.
For now, your best safeguards are to either run NoScript, or keep your Gmail account logged out as often as possible, but, that seems an unlikely scenario for most users of the service.
Related Posts:
November 18th, 2007
“There is an easy fix if you install the NoScript Firefox extension, but this means that you’ll be running absolutely no scripts, making for a far more boring web browsing experience.”
This is incorrect and misleading, because NoScript protection against this bug is independent from JavaScript blocking, i.e. you can keep JavaScript enabled on sites where you need it and still be protected by NoScript against jar: attacks and other XSS exploits.
See A Jar of Misleading Advices for more details.