Mozilla Foundation Security Advisory 2012-33

Potential site identity spoofing when loading RSS and Atom feeds

Announced
April 24, 2012
Reporter
Jeroen van der Gun
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 12
  • Firefox ESR 10.0.4
  • SeaMonkey 2.9
  • Thunderbird 12
  • Thunderbird ESR 10.0.4

Description

Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for phishing attacks where a malicious page can spoof the identify of another seemingly secure site.

References