Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20889
HistoryNov 20, 2008 - 12:00 a.m.

Firefox cross-domain image theft (CESA-2008-009)

2008-11-2000:00:00
vulners.com
11
JSON

Hi,

Firefox 2.0.0.18 fixes a cross-domain theft of image data. Firefox 3
unaffected. It's another interesting case where a redirector confuses
the browser about the true origin of a piece of content. If evil.org
hosts a redirector, e.g. evil.org/redir, and an image is loaded via
this redirector, the image will be treated as a same-domain image. In
this event, the image pixel data may easily be stolen by rendering the
image to a canvas and using the getImageData() JavaScript API.

Advisory: http://scary.beasts.org/security/CESA-2008-009.html

Blog post: http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-domain-image-theft-and.html

Cheers
Chris

JSON