Mozilla says Firefox flaw could lead to data leak

Mak 2.0

Staff member
Mozilla is working to fix a browser flaw that could give attackers unauthorized access to data on a victim's machine.

The problem is similar to other data leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on Saturday.

Eisenhaur has posted sample code that reads the contents of a Mozilla Thunderbird preferences file, but he believes that attackers could get access to more information with variations on his attack. "It's possible to load any javascript file on a victim's machine," he wrote in his blog posting. "This looks very interesting and may have bigger potential, but for now, it's just another information disclosure [flaw]."

"It could become something more if there was an application that stored sensitive data inside javascript files," he said via instant message. "Some plugins have been known to store usernames and passwords."

>> Source: InfoWorld
I don't think it's as big of a deal as it's being made out to be... the *.js files in the Mozilla settings directory do not contain that sensitive info - just settings and locations and stuff.... and, to the best of my knowledge, plugins that store usernames and passwords don't store them in JS files - they store them in text files.

Good to know they're on top of it, at any rate.