Mozilla Foundation Security Advisory 2012-69

Incorrect site SSL certificate data display

Announced
August 28, 2012
Reporter
Mark Poticha
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey
Fixed in
  • Firefox 15
  • Firefox ESR 10.0.7
  • SeaMonkey 2.12

Description

Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading to the displayed certificate data to not be updated. This can be used for phishing attacks by allowing the user to input form or other data on a newer, attacking, site while the credentials of an older site appear on the addressbar.

References