Data Leakage Bug in Mozilla Firefox Confirmed

It seems a data leakage bug has struck Firefox recently and has been confirmed by Window Snyder the security bod at Mozilla.

It’s basically a Chrome directory traversal bug (It seems a lot of the Firefox issues have had to do with chrome?).

It’s rated as low risk, but it can give away the existence of files (if the attacker knows the name and location).

The bug resides in Firefox’s chrome protocol scheme and allows for a directory traversal when certain types of extensions are installed. Attackers could use it to detect if certain programs or files are present on a machine, gaining information to use in perpetrating another, more malicious exploit.

Normally, Firefox’s chrome package is restricted to a limited number of directories, but a bug in the way it handles escaped sequences (i.e. %2e%2e%2f) allows attackers to escape those confines and access more sensitive parts of a user’s computer. The exploit only works if a user has made use of Firefox extensions that are “flat,” this is, those that don’t package their files in a jar archive. Examples of flat add-ons include Download Statusbar and Greasemonkey.

You can protect yourself by using NoScript, which I would guess most of you guys are using already.

The open bug can be found here.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, , , , , ,

Latest Posts:

APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.

24 Responses to Data Leakage Bug in Mozilla Firefox Confirmed

  1. Adam January 28, 2008 at 4:38 pm #

    Thanks for the info. that’s actually quite scary as Firefox is my default browser.

  2. goodpeople January 29, 2008 at 10:26 am #

    Like you said.. low risk. No need to get paranoid over this one..

    btw, those of you that wonder why my responses are kinda short lately, that’s because I broke my left wrist. Typing is somewhat difficult.

  3. Keola January 30, 2008 at 4:32 am #

    Great information and thanks for the link on NoScript.

  4. Nobody_Holme January 30, 2008 at 4:25 pm #

    Ouch. Unlucky. Good luck with the wrist dude.
    and ta darknet. must go make people i know get noscript going.

  5. Pantagruel January 30, 2008 at 10:57 pm #

    A minor hickup but a good thing you point us toward NoScript.

    Good luck with the wrist goodpeople (plastered in or did you get some steel bolted on?)

  6. mumble January 31, 2008 at 12:16 am #

    At least this is (1) an easy fix in the code and (2) in a product that uses auto-update. I figure my windows boxes will get the update when it is released (sometime this week).

    Don’t push too much until it heals. You get two at birth, and no replacements will be issued. Be sure to follow up on PT – you don’t want to have a gimpy wrist for an extended period of time. Good luck and get well soon.

  7. goodpeople January 31, 2008 at 12:29 pm #

    Thanks for the support guys. It really helps.

    To answer some questions you all probably have, I fell while I was skating. It was my third time on skates, so I’m not that good yet.. :-)
    Fortunately it is a clean break, so a bit of plaster for 5 weeks should do the trick. I am afraid that I will need some Physical Therapy as well, but I’ll live. Worst part is that I can’t get to work now. I cannot drive or ride the bycicle.. But I’ll get another kind of plaster next week that doesn’t require me to wear a sling all day…

  8. Nobody_Holme January 31, 2008 at 1:35 pm #

    Auto update, how i love thee.
    Makes everyone’s life easier.

    and i’m thinking no more skating for you for a couple of months. :P

  9. goodpeople January 31, 2008 at 2:19 pm #


    Are you talking about mozilla’s auto-update feature or Windows update?

  10. mumble January 31, 2008 at 11:14 pm #

    I was talking about the mozilla auto-update, which in recent verions is turned on by default. It lets them push out a fast patch for things like this.

    Realistically, this can be fixed with only a few lines of code in one file – but it would probably be a good idea to audit the code looking for other path traversal flaws. Because of the limited scope of the data leakage, though, this isn’t the end of the world…..

  11. goodpeople February 1, 2008 at 1:04 pm #


    That’s okay. I also keep Mozilla’s auto update switched on. But I am a bit wary of Windows update. Even Linux is not allowed to do it’s own updates here. I want to see it first.

  12. Nobody_Holme February 1, 2008 at 6:15 pm #

    I was also talking about non-microsoft auto-updates. I’m not a fan of auto-installing brand new bugs and security flaws, i must say.

  13. goodpeople February 2, 2008 at 12:29 pm #

    @Nobody_Holme & mumble

    Phew! for a second there you guys had me worried ;-)

  14. Nobody_Holme February 2, 2008 at 4:24 pm #

    I’m slightly depressed… I cant have bashed microsuck enough around here for you to notice how much i hate them. :P

  15. Pantagruel February 2, 2008 at 6:09 pm #

    @ Nobody_Holme

    Rest assurred, there will be plenty of Windows wholes to bash ;)

  16. eM3rC February 7, 2008 at 7:59 am #

    When comparing this to all of IE’s bugs I think of this as no big deal. And like Pantagruel said, welcome to the wonderful, yet buggy/vulnerable world of windows ;).

    As for firefox addons what is everyone using?
    I currently use:
    Ad Block Plus
    Tamper Data
    and Download status bar

  17. Pantagruel February 7, 2008 at 1:56 pm #

    @ eM3rc

    All of the stuff you mentioned and some from the FireCat collection

  18. Nobody_Holme February 7, 2008 at 4:05 pm #

    Dont run download statusbar without noscript, methinks?

  19. Pantagruel February 7, 2008 at 6:48 pm #


    You’se right.
    Block statusbar, noscript surely will.

  20. eM3rC February 8, 2008 at 3:34 am #

    Could you recommend any cookie editors for firefox?

  21. Pantagruel February 8, 2008 at 10:22 am #

    Take a look at Cookie Edit or Add N Edit Cookies.

    You might also consider LiveHTTPHeaders if you want to get some realtime info on incoming header/file info

  22. Pantagruel February 8, 2008 at 12:38 pm #

    You also might want to check out Stompy

    for some superb session analysis (and cookie munging)

  23. J. Lion February 11, 2008 at 11:21 pm #

    is there an alternative to firefox besides IE?

  24. eM3rC February 12, 2008 at 2:01 am #

    @J. Lion
    I would stick with firefox because overall it seems to be the best browser. The next in line I would say is Opera, but firefox just released and update so no worries. In my opinion I would stick with firefox no matter what.