Firefox Exploit Leads to Gmail Break-Ins

wings · 2 · 1986

wings

  • Global Moderator
  • Hero Member
  • *****
    • Posts: 70724
    • Gender:Female
  • Vicky Papaprodromou
A security loophole in the Mozilla Firefox web browser has been identified, which may make Google user accounts vulnerable to exploitation by potential hackers. Using cross-site scripting protocols, individuals may be able to access private information without the knowledge of their victims.

This vulnerability was first brought to the attention of internet junkies by Petko D. Petkov, a.k.a 'pdp', founder of the GNUCITIZEN group. His investigation led to the discovery of the Firefox exploit, which is not currently detected in rival web browsers. (Source: gnucitizen.org)     

The issue arises from the ability of hackers to insert .zip files via document formats from common word processing software, and subsequently upload that file onto a server. Firefox JAR protocol allows this compressed data to be uploaded remotely by unauthorized personnels. The specific vulnerability to Google accounts was discovered by bedford.org's Morgan Lowtech, who elaborated that this technique can be used to gain access and modify user accounts, email, and contact lists.

Shockingly this vulnerability does not come as a surprise to Mozilla's security chief Window Snyder, as it was internally discovered in the company over eight months ago. No explanation has been given as to the absence of a patch to fix this issue, however Snyder assures Firefox users that it will be fixed "very soon". However there are several third party patches available online, including a 'NoScript' add-on for Firefox, which blocks JavaScript from untrusted web sites. (Source: zdnet.com)

This will however limit a user's internet experience, as JavaScript are widely used on an array of websites. An alternative security measure suggested by Petkov is to "use white rather then black listings, i.e. you allow only http: and https: protocols, opposed to you allow all protocols apart from JavaScript." While internet enthusiasts have voiced their concerns as to the delayed response by Mozilla, the impact of this vulnerability to the popularity of the Firefox browser has been negligible. (Source: gnucitizen.org)

Source: http://www.infopackets.com/channels/en/windows/gazette/2007/20071120_firefox_exploit_leads_to_gmail_break_ins.htm


Frederique

  • Hero Member
  • *****
    • Posts: 80227
    • Gender:Female
  • Creative, Hardworking and Able!
Google has reported that roughly 60 users have been affected by this problem; (an extremely small percentage of Gmail users who number in the tens of millions.) It would seem to be an exploit of Firefox 2.
Malicious scripting exploits are generally a more widespread issue in Internet Explorer. Much of the malware across the Internet is made possible by exploitable bugs and flaws in the security architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page in order to install various forms of malware, ActiveX being especially vulnerable. Malevolent sites can use scripting code (like JavaScript) to exploit security holes permitting “drive-by” spyware or Trojan installations. IE 7 attempts to block these exploits, but without much success as compared with the competition, Firefox and Opera being more immune to these. Another unsolved problem with Internet Explorer is its basic integration into the OS, so an exploit is able to also exploit the operating system directly.
Firefox's NoScript plug-in (NoScript.net) does provide a workable solution to the problem. NoScript allows the user to control scripting on a site-by-site basis with a single click.
Microsoft is working on I.E. 8 now as well, but not too much is known yet. I hope they finally isolate it more from Windows.
Communicate. Explore potentials. Find solutions.



 

Search Tools