Closed Bug 732773 Opened 12 years ago Closed 12 years ago

SECURITY BUG!!!

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
11 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: prof.marius, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Build ID: 20120215222917

Steps to reproduce:

I have an open tab with my gmail account most of the time when I'm in browser.
Recently for temporary usage I changed my gmail password. Unfortunately, this temporary password is the same as I use it for "garbage" sites which demands to register. So, I always register with other account (even not gmail account) to these sites, but as I said with the same password as my gmail account :(.


Actual results:

my gmail hijacked!!! :(((

I think the scenario is:
when I do mouse over the gmail tab it always shows:
blahblahblah - myUserName@gmail.com

the "garbage" site runs some script which captures myUserName@gmail.com, then it uses the same password I entered there during the register process and WALLA, we have gmail account with password. :(((
I think most of the users use the same password everywhere. 
My point is that I think that have to be no way to scripts to see other tabs, cookies, etc.... I guess it is a heavy security bug :(. 


Expected results:

It shouldn't happened ;).
What lets you believe that other sites can read anything from a third page opened in a different tab/window ?
Other sites can't read the cookies and contents of other opened pages and that includes the title.
well, I'm not a web programmer but if we take let's say this link:
http://code.google.com/chrome/extensions/dev/content_scripts.html
which talks exactly about cross site, script injection, and security vulnerability.
It talks about Chrome but I guess I can find same about FF. 

here quick google results exactly what I'm talking about:
http://www.autohotkey.com/forum/topic21491.html
**again, I don;t have a clue how to check it but the last link title sounds "promising".
That example is for google chrome _extensions_ and _not_ for scripts inside a page.
A Firefox extension can do the same and much more as they are not limited to fixed APIs.
That is the reason why extensions on addons.mozilla.org are served by https and why addons are also checked by reviewers and automated tools. Another example for scripts with full access are javascript URL that a user manually enters in the URL bar. Those scripts have full access to open pages. This got disabled in the latest Firefox releases as some people don't know the difference and they got tricked to enter those scripts in the URL bar while they are on Facebook. This script can send the current active session cookies from Facebook to somewhere else....
Anyway, a site can't do this except if they find a security vulnerability. Such a vulnerability is called XSS -> http://en.wikipedia.org/wiki/Cross-site_scripting

I will mark this report incomplete as long as we don't have evidence that page A can access contents of page B
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
BTW: The second URL in comment#2 is for an application that runs on your system. Any application running on your system with enough privileges (administrator rights)can do everything it wants on the whole system. It can log your entered keys in all applications, replace the Firefox installation with a Opera one, intercept the network traffic between the browser and the Internet ....
You need to log in before you can comment on or make changes to this bug.