22 February 2007, 15:37

Firefox executes JavaScript in normal bookmarks

Michal Zalewski, a specialist on browser security, has published a demo that reveals a weak point in the processing of bookmarks by Firefox 1.5 and 2.0. The problem occurs when JavaScript contained within a bookmark is executed in the context of the site currently displayed instead of in the site to be called. Attackers can exploit this hole to copy a victim's cookies and misuse them for their own purposes. While this has been possible for some time with bookmarklets, they first have to be imported into a bookmark collection via the context menu (right mouse key); they cannot simply be added via the bookmark option or Control-D. But in Zalewski's method, the bookmark containing JavaScript can be added in this way. Users think they are marking a normal site and do not realize that they have actually added a bookmarklet.

Zalewski's demo shows how this works based on Google's home page, which many users have marked as their start page; it is allegedly even possible to steal Google Mail authentication cookies. To get JavaScript into the bookmark, Zalewski uses the data: schema that browsers support in addition to the URL schema http:// directly to include data. In the process, a link need not point to a genuine web site to get data and content; it can directly include it and have the browser display it.

There has already been much discussion about this weak point in the Mozilla bug database. But no decision seems to have been reached about whether support for the data: schema should be discontinued in bookmarks or whether users should be warned when adding such a bookmark. Whatever the case, users should be very careful with bookmarks. The JavaScript contained therein is executed locally and thus has access to all resources. A malicious bookmarklet therefore has unlimited means of spying on a computer both via Firefox and Internet Explorer.