You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-33

Mozilla Foundation Security Advisory 2012-33

Title: Potential site identity spoofing when loading RSS and Atom feeds
Impact: High
Announced: April 24, 2012
Reporter: Jeroen van der Gun
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 12.0
  Firefox ESR 10.0.4
  Thunderbird 12.0
  Thunderbird ESR 10.0.4
  SeaMonkey 2.9


Security researcher Jeroen van der Gun reported that if RSS or Atom XML invalid content is loaded over HTTPS, the addressbar updates to display the new location of the loaded resource, including SSL indicators, while the main window still displays the previously loaded content. This allows for phishing attacks where a malicious page can spoof the identify of another seemingly secure site.