Mozilla has slapped a “high severity” rating on an unpatched Firefox vulnerability that could let hackers steal session cookies — and sensitive user information — from Web surfers.
Mozilla security chief Window Snyder (left) confirmed the issue in a blog entry late Tuesday, warning that Firefox users who have installed “flat” That packed add-ons (browser extensions) are at risk.
The flaw was originally reported as a low-risk information disclosure issue that could help with pre-attack reconnaissance, but Snyder’s latest update confirms the risk is much higher.
“An attacker can use this vulnerability to collect session information, including session cookies and session history,” Snyder said.
[ SEE: Do You Know What’s Leaking Out of Firefox? ]
Stolen cookies and session information could eventually lead to a complete hijack of things such as Gmail accounts, Amazon.com and eBay credentials, and other sensitive Web-based accounts.
Although Firefox is not vulnerable by default (only users who have installed “flat” packed add-ons are at risk), this partial list of vulnerable Firefox extensions is very, very long.
It includes popular add-ons like Greasemonkey, Download Statusbar, Finjan Secure Browsing and YouTube It.
“If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging,” Snyder added.
Mozilla plans to ship Firefox 2.0.0.12 very soon — possibly by the end of this week — to patch this vulnerability.