Firefox Exploit leads to Hack for Google Accounts

Google user accounts are vulnerable to cross-site scripting attacks through a dangerous Firefox exploit, which is still in the wild some 10 days after its discovery. A client or server-side exploit can be inserted into .zip files via open document formats from Microsoft Office 2007 and OpenOffice, and uploaded to a server where the Firefox JAR protocol extracts the compressed data. Affected platforms range from Web mail clients, collaboration and document sharing systems and other Web 2.0 applications from large software vendors. Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.

The reason Google accounts, including Gmail, can be targeted more easily is because of a 302 redirect error in Google, discovered by bedford.org's Morgan Lowtech, which creates a domain-wide cross-site scripting attack. This allows hackers to gain access and modify Google user accounts including e-mails, contact lists and online presence. While Mozilla has not issued a solution to the problem, application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol, while Web administrators can use a reverse proxy to prevent malicious content from being uploaded.

News source: PC World

Report a problem with article
Previous Story

Users complain new Gmail version slow, crashes browsers

Next Story

Hushmail turns out to be anything but

15 Comments

Blaine said,
This has me scared to check my mail on firefox :(

No better time to switch to Sarari 3 beta for Windows. It's built with security in mind...and faster.

internetworld7 said,

No better time to switch to Sarari 3 beta for Windows. It's built with security in mind...and faster. :cool:

Now why you want to suggest him that. safari is a beta software that is far from being finished, Blaine i suggest you use IE or Opera in the mean time until Mozilla fix this in the next release.

internetworld7 said,

No better time to switch to Sarari 3 beta for Windows. It's built with security in mind...and faster. :cool:

absolute rubbish.

internetworld7 said,

No better time to switch to Sarari 3 beta for Windows. It's built with security in mind...and faster. :cool:

Why does he want to use a stupid piece of Apple software converted to run on Windows? Me, the Firefox antichrist, would rather use that than Safari! And Safari is not faster than Firefox! Safari is the slowest and dullest browser I've ever come across!

If you're gonna make a switch from Firefox, then obviously there's 2 choices: IE or Opera. Now it depends on what you want. If you want speed, then it's Opera, but be warned that some sites aren't compatible with it. If that scares you off, like it did for me, then just go with IE7. It's gotten faster, and if you download IE7Pro, you'll have both browsers rolled into 1!

lately firefox having some bad news

i guess its the price of popularity and stuff being discovered because of the intention

Man, this is annoying. Oh well. Opera will have to suffice for me, I guess. I just wish that it was a bit more like Firefox in terms of usability. Good-bye, StumbleUpon, Web Developer Toolbar (the one in Opera isn't as useful), TinyMenu, and all of my other useful extensions... :(

As for me checking my mail, I switched to Gmail's IMAP a while ago with Thunderbird. I'm worried about my Google Docs and stuff more than anything else really...

yeah i have been using this a little while myself and it's overall nice.

only bad thing is it requires allowing alot of sites you visit for the first time. so overall for the average joe this could be a pain in the butt although for the more technical savy it's probably worth using.

so overall for the average joe this could be a pain in the butt although for the more technical savy it's probably worth using.

Although it's probably an inexperienced "average joe" with little sense of website safety and "gut feeling" that needs it most.

But yes, I use Noscript too. It's great not just for the added security, but also for a ton of annoyances and knowing they can't use scripting to activate all sorts of crap. Most site use scripts, but it's surprisingly rare that you actually need it on for a website you aren't logging on to or where they use those special popup menus...

Jugalator said,

Although it's probably an inexperienced "average joe" with little sense of website safety and "gut feeling" that needs it most.

But yes, I use Noscript too. It's great not just for the added security, but also for a ton of annoyances and knowing they can't use scripting to activate all sorts of crap. Most site use scripts, but it's surprisingly rare that you actually need it on for a website you aren't logging on to or where they use those special popup menus...

good point .. as your right that the average joe is probably most at risk... but the main reason i said what i said is cause with no script installed it tends to block ALOT of legit stuff from loading and the "average joe" wont know how to get the site working in most cases unless there somewhat familiar with pc's etc. no script is fairly easy to use but at the same time people like "easy of use" as there #1 thing with pc's in general, so to them no script will be just a pain in the butt to mess around with. even though it only take a click or so to fix the issue. it's just that much more stuff they gotta learn/mess with.

cause generally speaking i would probably not install something for the average joe that uses pc's mainly for websites/email and a few other odds and ends as programs like no script by default will mess with alot of legit stuff from working... all this does is upset the user, especially if they just want stuff to work. cause even though u get added security with this no script addon theres trade offs to get that added security instead of just getting added security for free with no drawbacks. .. i think u get my point.

cause when adding software to programs, say to get more security for example... it's pretty much got to be one of those automated ones where it protects u more but does not prvent anything from working as normall.... so in this sence your generally limited on what you can do to help out the average joe.

p.s. but yeah it can be nice to block the stuff you said in bold... which is also another fairly big reason to use it

Proof positive of what happens when you push for, lust for even, and finally get 'mainstream' attention.
... and it appears to be a server problem (http 302 error) more than a browser problem, which is all the more unfortunate for Firefox- it can't deal with a server problem correctly?
The resource has been redirected... BY THE SERVER (not the web page)... so the browser should start security checks from the beginning... checking for x-site scripting and the like just as if the new URI / URL was being hit for the first time.

maybe maybe not, not everyone is going to get their gmail hacked only people that go to the infected site with the hack and have gmail open (at least thats how I understood it) but I do suggest either downloading Noscript or using a different browser to check your gmail until this is fixed.

Commenting is disabled on this article.