Mozilla Foundation Security Advisory 2012-54

Clickjacking of certificate warning page

Announced
July 17, 2012
Reporter
Matt McCutchen
Impact
Moderate
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 13
  • Firefox ESR 10.0.6
  • SeaMonkey 2.10
  • Thunderbird 13
  • Thunderbird ESR 10.0.6

Description

Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added.

References