Firefox cross-domain image theft (CESA-2008-009)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Firefox cross-domain image theft (CESA-2008-009)
- From: "Chris Evans" <scarybeasts@xxxxxxxxx>
- Date: Tue, 18 Nov 2008 13:28:20 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=sDW9yyqMJEaSQ9FOa2PJpzqu+XvaJgdY3VXALu02LiU=; b=rlwmjQ3Au4KqkvlZRd8EhCvjVFLohkTd14ElS130+zHxoeZitKRfdAouhs4pvB/jo2 cu8r+ZvNz36DbcIHGINYGVSY1HKaKMATXe5dkVXrfIXUo7BRAesdIHixnQFiS37Xk9Jk cB4PC08OMsdXWbgDUGToeknJCDEMGUnyCPdJU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=MHsoh/H/Gk0G+gI3YiW+kmt9B5M4ZVhTQJ7yhBxh37DsKyOa5S6aqT2rB8dPqHuL/g 3PhyKJ5avaXgoq3tO19CDd4YNAs1ovMH04p0kmU/fviCfSVOxlH0OtJ7X3GAssuIuTcV vpiCzhan+aWMztSR+4XMa12U6oZA7zXwRqgsA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi,
Firefox 2.0.0.18 fixes a cross-domain theft of image data. Firefox 3
unaffected. It's another interesting case where a redirector confuses
the browser about the true origin of a piece of content. If evil.org
hosts a redirector, e.g. evil.org/redir, and an image is loaded via
this redirector, the image will be treated as a same-domain image. In
this event, the image pixel data may easily be stolen by rendering the
image to a canvas and using the getImageData() JavaScript API.
Advisory: http://scary.beasts.org/security/CESA-2008-009.html
Blog post:
http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html
Cheers
Chris