You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-25

Mozilla Foundation Security Advisory 2011-25

Title: Stealing of cross-domain images using WebGL textures
Impact: Moderate
Announced: June 21, 2011
Reporter: Context IS
Products: Firefox, SeaMonkey

Fixed in: Firefox 5
SeaMonkey 2.2


Security research firm Context IS discovered that an image from a different domain could be loaded into a WebGL texture, and then each pixel could be rendered into a canvas element with a shader program, creating an approximation of the image in a form that was readable by the creator of the WebGL texture. This could be used to steal image data from a different site and is considered a violation of the same-origin policy.

The WebGL functionality was introduced in the browser engine used by Firefox 4 and SeaMonkey 2.1; the vulnerability does not affect earlier versions.