Attack code for Firefox 16 privacy vulnerability now available online (ars technica)
[Security] Posted Oct 11, 2012 17:21 UTC (Thu) by jake
Firefox 16, which was released on October 9, has subsequently been withdrawn due to a privacy leak. Ars technica looks at code that can exploit the flaw, which is not present in Firefox 15. "In short order, he was able to take advantage of his discovery to fashion proof-of-concept code that forced Firefox 16 to identify a visitor's Twitter handle whenever the user was logged in to the site. The eight-line code sample takes about 10 seconds to reveal the username, and it wouldn't be hard for developers to expand on that code to create attacks that extract personal information contained in URLs from other websites."
Comments (6 posted)