You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-54

Mozilla Foundation Security Advisory 2012-54

Title: Clickjacking of certificate warning page
Impact: Moderate
Announced: July 17, 2012
Reporter: Matt McCutchen
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 13
  Firefox ESR 10.0.6
  Thunderbird 13
  Thunderbird ESR 10.0.6
  SeaMonkey 2.10

Description

Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added.

References