You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-69

Mozilla Foundation Security Advisory 2012-69

Title: Incorrect site SSL certificate data display
Impact: High
Announced: August 28, 2012
Reporter: Mark Poticha
Products: Firefox, SeaMonkey

Fixed in: Firefox 15
  Firefox ESR 10.0.7
  SeaMonkey 2.12

Description

Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading to the displayed certificate data to not be updated. This can be used for phishing attacks by allowing the user to input form or other data on a newer, attacking, site while the credentials of an older site appear on the addressbar.

References