mailing list archives
Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox
From: Context IS - Disclosure <disclosure () contextis co uk>
Date: Wed, 4 Nov 2009 18:35:00 +0000
Name: Autocomplete Data Theft in Mozilla Firefox
Systems Affected: Mozilla Firefox 3.5, Mozilla Firefox 3.0
Category: Data Leakage
Author: Context Information Security Ltd
Advisory: 4 November 2009
A malicious web page can extract out all the data stored within the autocomplete history of a user's Firefox browser.
The web page must convince a user to hold down the left or right-arrow keys then the contents of the autocomplete popup
can be read. This may includes the search history box within the browser, or other personal details.
A malicious web page can be created that includes a text field with the same 'name' attribute as data entered on other
sites (e.g 'q' for Google). The form autocompletion popup in Firefox can then be triggered and manipulated by a variety
of key presses. For example, by pressing the 'a' key, autocomplete entries starting with that letter will be shown.
Entries in the poupup can be selected by using the up/ down arrow keys. When the left or right arrow key is pressed,
It was discovered that these events could be used to trigger an autocomplete popup and change the currently selected
entry in the popup.
However, it was not possible for synthetic events to cause the text field to be filled with the current entry.
Therefore some user interaction is required to enable the web page to steal the contents of the drop-down. If a web
page can convince a user to hold down or repeatedly press the left or right-arrow keys, it can systematically grab each
entry in the drop-down box.
Mozilla Firefox 3.5.3 and below
Mozilla Firefox 126.96.36.199 and below
Mozilla fixed this issue in the 3.5.4 and 188.8.131.52 releases of Firefox:
This issue has been assigned CVE number CVE-2009-3370.
8th August 2009 - Initial Discovery and Vendor Notification 8th August 2009 - Vendor Response
27 October 2009 - Vendor Advisory Release
4 November 2009 - Context Information Security Advisory Release
Paul Stone of Context Information Security Ltd
About Context Information Security
Context Information Security Limited is a specialist information security consultancy based in London and Dusseldorf.
Context promotes the holistic approach to information security and helps clients to identify, assess and control their
exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information
security professionals who are subject-matter experts in their various technical specialisms. Context works
extensively within the finance, legal, defence and government sectors, delivering high-end information security
projects to organisations for which security is a priority.
Email: disclosure () contextis co uk
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Context IS Advisory - Autocomplete Data Theft in Mozilla Firefox Context IS - Disclosure (Nov 04)