Firefox suffers from a flaw that allows attackers to manipulate the authentication cookies of virtually any website, a vulnerability Bugzilla has deemed severe (https://bugzilla.mozilla.org/show_bug.cgi?id=370445). It's the second major security lapse for the open-source browser in as many days.

The defect, which stems from the way Firefox writes to the "location.hostname" property of the document object model, can be exploited by a specially doctored script that sets variables that normally wouldn't be accepted when parsing a regular URL, according to researcher Michal Zalewski, who uncovered Monday's vulnerability (http://www.theregister.com/2007/02/13/browser_vulns/) as well.

By injecting text string that includes "\x00," normal safeguards can be bypassed, allowing the browser to be fooled about the origin of a domain trying to set or modify a cookie. The sleight of hand makes a victim's browser appear to be talking to trustedbank.com when in fact it is receiving data from evilhackers.com.

The attacker would also be able to change the document.domain accordingly. A demonstration of the vulnerability, which has been tested on version 2.0.0.1, is available here (http://lcamtuf.dione.cc/ffhostname.html). ®

Related stories

Firefox lances IE bug (18 July 2007)
http://www.theregister.co.uk/2007/07/18/firefox_ie_security_bug/
Flaws galore in IE and Firefox (5 June 2007)
http://www.theregister.co.uk/2007/06/05/browser_vulns_identified/
Mozilla seeks security researchers to look at alpha code (10 April 2007)
http://www.theregister.co.uk/2007/04/10/mozilla_security/
Mozilla patches faulty patch (7 March 2007)
http://www.theregister.co.uk/2007/03/07/mozilla_patch_fix/
Firefox fix lances memory corruption bug (26 February 2007)
http://www.theregister.co.uk/2007/02/26/firefox_update/
Broadband routers welcome drive-by hackers (15 February 2007)
http://www.theregister.co.uk/2007/02/15/router_vuln/
IE and Firefox cough up hard drive contents (13 February 2007)
http://www.theregister.co.uk/2007/02/13/browser_vulns/
Malware: Windows is only part of the problem (10 January 2007)
http://www.theregister.co.uk/2007/01/10/secure_software_intro/
Firefox update guards against critical flaws (21 December 2006)
http://www.theregister.co.uk/2006/12/21/firefox_upgrade/
Attackers end-run around IE security (8 November 2006)
http://www.theregister.co.uk/2006/11/08/ie_security_analysis/
Old bugs blight shiny new browsers (30 October 2006)
http://www.theregister.co.uk/2006/10/30/ie_firefox_vulns/
IE7 spoofing bug pops up (26 October 2006)
http://www.theregister.co.uk/2006/10/26/ie7_spoofing_bug/
Opera hit by buffer overflow glitch (19 October 2006)
http://www.theregister.co.uk/2006/10/19/opera_security_bug/
Mozilla flaws more joke than jeopardy (5 October 2006)
http://www.theregister.co.uk/2006/10/05/mozilla_flaw_joke/
Firefox JavaScript risk downplayed (3 October 2006)
http://www.theregister.co.uk/2006/10/03/firefox_zero_day_exploit/