Proof-of-concept code that exploits an information leak introduced in version 16 of Firefox.

Attack code that exploits a privacy information leak introduced in the latest version of Firefox is available online, making it easy for malicious websites to gather detailed information about users’ browsing history unless they downgrade to the previous Mozilla release.

As previously reported, Mozilla officials took the unusual step of temporarily removing Firefox 16 on Wednesday, just one day after its release. Company officials warned that a security hole introduced in the release “could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters.” They went on to say there was no evidence the vulnerability was being exploited by real-world attackers. Update: Mozilla has released Firefox 16.0.1 for Android on Google Play, and Firefox 16.0.1 for desktops appears to be available by FTP.

Mozilla’s advisory came several hours after a JavaScript blogger published a post titled “Firefox knows what your friends did last summer.” In it, he reported some curious behavior in the latest version of the open-source browser, where an undefined value is converted to a string inside a native function. In short order, he was able to take advantage of his discovery to fashion proof-of-concept code that forced Firefox 16 to identify a visitor’s Twitter handle whenever the user was logged in to the site. The eight-line code sample takes about 10 seconds to reveal the username, and it wouldn’t be hard for developers to expand on that code to create attacks that extract personal information contained in URLs from other websites.

Read 3 remaining paragraphs | Comments

via Ars Technica » Technology Lab