Mozilla Foundation Security Advisory 2011-24

Cookie isolation error

Announced
June 21, 2011
Reporter
David Chan
Impact
Moderate
Products
Firefox, Thunderbird
Fixed in
  • Firefox 3.6.18
  • Thunderbird 3.1.11

Description

Mozilla security researcher David Chan reported that cookies set for example.com. (note the trailing dot) and example.com were treated as interchangeable. This is a violation of same-origin conventions and could potentially lead to leakage of cookie data to the wrong party.

This issue did not affect Firefox 4, SeaMonkey 2.1, or newer Mozilla-based products.

References