What went wrong at Mozilla
Tal Be'ery explains the reason for the Firefox 16 recall
Mozilla last week removed the latest update of its Firefox web browser just a day after it was released after a serious security vulnerability was discovered.
The essence of the vulnerability is a breach in the browser's Javascript security. Javascript is mainly used to improve and enrich the user experience, enable the web page creator to modify HTML elements programmatically, and thus change the web page experience without refreshing it.
However, comfort does not come without cost. Executing code that originates from an untrusted environment, such as a web page, on a trusted environment, such as the user's computer, without proper protection is obviously risky.
A browser aims to provide protection by executing the script within a protected environment or sandbox. The sandbox makes sure that the script is confined to performing web-related actions and, therefore, cannot attack non-web related objects.
By implementing this policy, a malicious script cannot read secret files from the user computer, for example.
However, this is not enough. Malicious Javascript with full web access can still cause substantial damage. For example, unless properly tamed, a malicious script might be able to communicate with the user's web banking application, on the user's behalf.
To prevent that, browsers may implement a same origin policy. Here, not only is the script confined to web actions, but it can only perform such actions on the site that provided the script. In the previous example, the browser wouldn't allow the script that originated from one site to interact with the bank domain.
However, in the case of Firefox 16, the browser did not properly enforce this. Specifically, the browser allowed a script from one website to query the URL of a window of another website, by using Javascript's location object.
Security research has created a proof-of-concept web page to demonstrate the implications of a related exploit. The proof-of-concept exposes the twitter ID of the victim, with some very short and basic malicious Javascript code. When the user browses the attacker's web page, Javascript on that page opens a new browser window with Twitter's Lists URL.
If the victim is signed in to Twitter, they are automatically redirected by Twitter to the victim's personal lists page, and the URL now contains the victim's personal twitter ID. The attacker's Javascript now queries the new window for its URL by using the location object.
In previous Firefox versions, the same origin policy successfully obstructed such requests. In Firefox 16 the same origin policy was not implemented correctly and allowed the attacker to gain access to the URL, allowing leakage of personal data – in this example, the victim's Twitter ID.
Tal Be'ery is a web researcher at Imperva