The problem is similar to other data leakage flaws found in the open-source browser, according to researcher Gerry Eisenhaur, who first reported the problem on Saturday.
Eisenhaur has posted sample code that reads the contents of a Mozilla Thunderbird preferences file, but he believes that attackers could get access to more information with variations on his attack. "It's possible to load any JavaScript file on a victim's machine," he wrote in his blog posting. "This looks very interesting and may have bigger potential, but for now, it's just another information disclosure [flaw]."
"It could become something more if there was an application that stored sensitive data inside JavaScript files," he said via instant message. "Some plugins have been known to store usernames and passwords."
"Its also just a powerful way to do recon," he added.
Firefox bug could lead to data leaks
Posted on Friday, January 25 2008 @ 4:00 CET by Thomas De Maesschalck