Mozilla Foundation Security Advisory 2009-52

Form history vulnerable to stealing

Announced
October 27, 2009
Reporter
Paul Stone
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 3.0.15
  • Firefox 3.5.4

Description

Security researcher Paul Stone reported that a user's form history, both from web content as well as the smart location bar, was vulnerable to theft. A malicious web page could synthesize events such as mouse focus and key presses on behalf of the victim and trick the browser into auto-filling the form fields with history entries and then reading the entries.

References