lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 18 Nov 2008 16:39:02 -0500
From: adrian.lamo@...hmail.com
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	scarybeasts@...il.com
Subject: Re: Firefox cross-domain image theft
	(CESA-2008-009)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Petro D. Petro,

Fascinating work.  I will try to understand it when Juha provides a
digest on his security team website.

- -al

On Tue, 18 Nov 2008 16:26:13 -0500 Chris Evans
<scarybeasts@...il.com> wrote:
>Hi,
>
>Firefox 2.0.0.18 fixes a cross-domain theft of image data. Firefox
>3
>unaffected. It's another interesting case where a redirector
>confuses the
>browser about the true origin of a piece of content. If evil.org
>hosts a
>redirector, e.g. evil.org/redir, and an image is loaded via this
>redirector,
>the image will be treated as a same-domain image. In this event,
>the image
>pixel data may easily be stolen by rendering the image to a canvas
>and using
>the getImageData() JavaScript API.
>
>Advisory: http://scary.beasts.org/security/CESA-2008-009.html
>
>Blog post:
>http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-
>domain-image-theft-and.html
>
>Cheers
>Chris
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkkjNfYACgkQ8J2EGU1ixm7pswP8DZyojyrOATc1MWgyl8x9pwmcv+eb
Fe4TfM807F6QyPYD/S3sFt30dFjxR4Y00UgFCLMuig23WFGHey8x81x+kzOCXPEYCerr
43xXFEHtgpAJXSusAewGtyC1rhF1ox7yE+nptGDfo16xhMxUwOQbgJxrXkffwrStOCp1
NCpyVHM=
=b0a7
-----END PGP SIGNATURE-----

--
Click for free info on getting an MBA, $200K/ year potential.
http://tagline.hushmail.com/fc/PnY6qxsZwUEc5DoIOvJcoaOATuGbppGqGc2rd3tXUsJpcramttFQ8/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ