Firefox Exploit can Hack Gmail
The vulnerability, which is still in the wild some 10 days after its discovery on gnucitizen.org, allows hackers to access Google accounts, including Gmail, with cross-site scripting attacks.
A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data.
According to the Web site, affected platforms range from Web mail clients, collaboration and document sharing systems and other Web 2.0 applications from large software vendors including Google and Microsoft.
A 302 redirect error in Google, discovered by bedford.org's Morgan Lowtech aka tx, creates a domain-wide cross-site scripting attack allowing hackers to gain access and modify Google user accounts including e-mails, contact lists and online presence.
An example of the redirect error is here, while bedford.org has created a proof of concept link that reveals user Gmail contact lists.
While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.
IBRS security consultant James Turner, who has used the NoScript add-on, said protection against these vulnerabilities can be a trade-off between security and a rich online experience.
"There are some who will be willing to surf the Net in plain text, and there will be others who will be the most vulnerable that won't find out about it or won't take any action."
Another attack was discovered in September that delivers URI payloads by using mailto, nntp, news, and snews without user intervention. The flaw, which attacked Firefox and Microsoft Internet Explorer, was twice unsuccessfully patched last July
A Firefox exploit which used the Apple Quicktime extension was in the wild for a year before it was patched last September. The vulnerability allowed malicious Quicktime files to be executed, which opened a back door for hackers to install malware and steal data.