Mozilla Foundation Security Advisory 2008-65

Cross-domain data theft via script redirect error message

Announced
December 16, 2008
Reporter
Chris Evans
Impact
High
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 2.0.0.19
  • Firefox 2.0.0.20
  • Firefox 3.0.5
  • SeaMonkey 1.1.14
  • Thunderbird 2.0.0.19

Description

Google security researcher Chris Evans reported that a website could access a limited amount of data from a different domain by loading a same-domain JavaScript URL which redirects to an off-domain target resource containing data which is not parsable as JavaScript. Upon attempting to load the data as JavaScript a syntax error is generated that can reveal some of the file context via the window.onerror DOM API.

This issue could be used by a malicious website to steal private data from users who are authenticated on the redirected website. How much data could be at risk would depend on the format of the data and how the JavaScript parser attempts to interpret it. For most files the amount of data that can be recovered would be limited to the first word or two. Some data files might allow deeper probing with repeated loads.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.

Update December 18, 2008: The Windows version of Firefox 2.0.0.19 was shipped without the fix for this issue (other platforms were correctly patched). Firefox 2.0.0.20 has been released on Windows to correct this oversight.

Workaround

Disable JavaScript until a version containing these fixes can be installed.

References