Road Runner TrapAnother vulnerability has been found in Firefox, and this one makes it possible for a hacker to retrieve the settings and variables used in extensions. The person who discovered the flaw was able to steal a dynamically generated password created by the Fire Encrypter extension.




So how serious is this? Read for yourself:

It basically means that everyone can probe all Javascript files inside the chrome:// context and log all this information on the server through a simple Ajax instance. Furthermore it is only possible to call unregistered functions, like those that are set inside extensions by developers. This could lead to denial of service on function calls, privacy breach, information disclosure, and maybe more unseen or unknown attacks. [emphasis placed by me]

There is some concern that this could be used to get information such as whitelisted sites on Adblock, or even user details from Gmail Checker. This vulnerability hasn’t thoroughly been tested to see what’s possible and what’s not, but if some information could successfully be retrieved I’m sure other hackers could find ways to exploit this even further.

The person who discovered the vulnerability recommends that you install the NoScript extension, or use Opera because "this could lead to further more clever attacks." Staying safe online continues to get harder and harder.

Source: The Register