Monday, November 19, 2007

Firefox Exploit can Hack Gmail

EEP!

Mozilla has taken another security blow with the discovery that Google user accounts can be accessed through a dangerous Firefox exploit.

The vulnerability, which is still in the wild some 10 days after its discovery on gnucitizen.org, allows hackers to access Google accounts, including Gmail, with cross-site scripting attacks.

A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data.

According to the Web site, affected platforms range from Web mail clients, collaboration and document sharing systems and other Web 2.0 applications from large software vendors including Google and Microsoft.

[...]

While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.

Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.
(via)