Data Leakage Bug in Mozilla Firefox Confirmed

It seems a data leakage bug has struck Firefox recently and has been confirmed by Window Snyder the security bod at Mozilla.

It’s basically a Chrome directory traversal bug (It seems a lot of the Firefox issues have had to do with chrome?).

It’s rated as low risk, but it can give away the existence of files (if the attacker knows the name and location).

The bug resides in Firefox’s chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox’s chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user’s computer. The exploit only works if a user has made use of Firefox extensions that are “flat,” this is, those that don’t package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

You can protect yourself by using NoScript, which I would guess most of you guys are using already.

The open bug can be found here.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, , , , , ,

Latest Posts:

LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.
Stardox - Github Stargazers Information Gathering Tool Stardox – Github Stargazers Information Gathering Tool
Stardox is a Python-based GitHub stargazers information gathering tool, it scrapes Github for information and displays them in a list tree view.
ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.

24 Responses to Data Leakage Bug in Mozilla Firefox Confirmed

  1. Adam January 28, 2008 at 4:38 pm #

    Thanks for the info. that’s actually quite scary as Firefox is my default browser.

  2. goodpeople January 29, 2008 at 10:26 am #

    Like you said.. low risk. No need to get paranoid over this one..

    btw, those of you that wonder why my responses are kinda short lately, that’s because I broke my left wrist. Typing is somewhat difficult.

  3. Keola January 30, 2008 at 4:32 am #

    Great information and thanks for the link on NoScript.

  4. Nobody_Holme January 30, 2008 at 4:25 pm #

    Ouch. Unlucky. Good luck with the wrist dude.
    and ta darknet. must go make people i know get noscript going.

  5. Pantagruel January 30, 2008 at 10:57 pm #

    A minor hickup but a good thing you point us toward NoScript.

    Good luck with the wrist goodpeople (plastered in or did you get some steel bolted on?)

  6. mumble January 31, 2008 at 12:16 am #

    At least this is (1) an easy fix in the code and (2) in a product that uses auto-update. I figure my windows boxes will get the update when it is released (sometime this week).

    Don’t push too much until it heals. You get two at birth, and no replacements will be issued. Be sure to follow up on PT – you don’t want to have a gimpy wrist for an extended period of time. Good luck and get well soon.

  7. goodpeople January 31, 2008 at 12:29 pm #

    Thanks for the support guys. It really helps.

    To answer some questions you all probably have, I fell while I was skating. It was my third time on skates, so I’m not that good yet.. :-)
    Fortunately it is a clean break, so a bit of plaster for 5 weeks should do the trick. I am afraid that I will need some Physical Therapy as well, but I’ll live. Worst part is that I can’t get to work now. I cannot drive or ride the bycicle.. But I’ll get another kind of plaster next week that doesn’t require me to wear a sling all day…

  8. Nobody_Holme January 31, 2008 at 1:35 pm #

    Auto update, how i love thee.
    Makes everyone’s life easier.

    and i’m thinking no more skating for you for a couple of months. :P

  9. goodpeople January 31, 2008 at 2:19 pm #


    Are you talking about mozilla’s auto-update feature or Windows update?

  10. mumble January 31, 2008 at 11:14 pm #

    I was talking about the mozilla auto-update, which in recent verions is turned on by default. It lets them push out a fast patch for things like this.

    Realistically, this can be fixed with only a few lines of code in one file – but it would probably be a good idea to audit the code looking for other path traversal flaws. Because of the limited scope of the data leakage, though, this isn’t the end of the world…..

  11. goodpeople February 1, 2008 at 1:04 pm #


    That’s okay. I also keep Mozilla’s auto update switched on. But I am a bit wary of Windows update. Even Linux is not allowed to do it’s own updates here. I want to see it first.

  12. Nobody_Holme February 1, 2008 at 6:15 pm #

    I was also talking about non-microsoft auto-updates. I’m not a fan of auto-installing brand new bugs and security flaws, i must say.

  13. goodpeople February 2, 2008 at 12:29 pm #

    @Nobody_Holme & mumble

    Phew! for a second there you guys had me worried ;-)

  14. Nobody_Holme February 2, 2008 at 4:24 pm #

    I’m slightly depressed… I cant have bashed microsuck enough around here for you to notice how much i hate them. :P

  15. Pantagruel February 2, 2008 at 6:09 pm #

    @ Nobody_Holme

    Rest assurred, there will be plenty of Windows wholes to bash ;)

  16. eM3rC February 7, 2008 at 7:59 am #

    When comparing this to all of IE’s bugs I think of this as no big deal. And like Pantagruel said, welcome to the wonderful, yet buggy/vulnerable world of windows ;).

    As for firefox addons what is everyone using?
    I currently use:
    Ad Block Plus
    Tamper Data
    and Download status bar

  17. Pantagruel February 7, 2008 at 1:56 pm #

    @ eM3rc

    All of the stuff you mentioned and some from the FireCat collection

  18. Nobody_Holme February 7, 2008 at 4:05 pm #

    Dont run download statusbar without noscript, methinks?

  19. Pantagruel February 7, 2008 at 6:48 pm #


    You’se right.
    Block statusbar, noscript surely will.

  20. eM3rC February 8, 2008 at 3:34 am #

    Could you recommend any cookie editors for firefox?

  21. Pantagruel February 8, 2008 at 10:22 am #

    Take a look at Cookie Edit or Add N Edit Cookies.

    You might also consider LiveHTTPHeaders if you want to get some realtime info on incoming header/file info

  22. Pantagruel February 8, 2008 at 12:38 pm #

    You also might want to check out Stompy

    for some superb session analysis (and cookie munging)

  23. J. Lion February 11, 2008 at 11:21 pm #

    is there an alternative to firefox besides IE?

  24. eM3rC February 12, 2008 at 2:01 am #

    @J. Lion
    I would stick with firefox because overall it seems to be the best browser. The next in line I would say is Opera, but firefox just released and update so no worries. In my opinion I would stick with firefox no matter what.