Mozilla Foundation Security Advisory 2007-13

Persistent Autocomplete Denial of Service

Announced
May 30, 2007
Reporter
Marcel
Impact
Low
Products
Firefox
Fixed in
  • Firefox 1.5.0.12
  • Firefox 2.0.0.4

Description

Marcel reported that a malicious web page could perform a denial of service attack against the form autocomplete feature that would persist from session to session until the malicious form data was deleted. Filling a text field with millions of characters and submitting the form will cause the victim's browser to hang for up to several minutes while the form data is read, and this will happen the first time autocomplete is triggered after every browser restart.

No harm is done to the user's computer, but the frustration caused by the hang could prevent use of Firefox if users don't know how to clear the bad state.

Workaround

Once affected by the Denial-of-Service condition normalcy can be restored by deleting stored form data through the "Clear Private Data" item on the Tools menu. This should be done immediately after a restart and before entering any keystrokes into a form field to avoid triggering the hang before the data can be cleared.

The attack can be prevented on older versions of Firefox by unchecking "Remember what I enter in forms and the search bar" on the Privacy tab of the Options dialog.

References