Mozilla has slapped a “high severity” rating on an unpatched Firefox vulnerability that could let hackers steal session cookies — and sensitive user information — from Web surfers.
Mozilla security chief Window Snyder (left) confirmed the issue in a blog entry late Tuesday, warning that Firefox users who have installed “flat” That packed add-ons (browser extensions) are at risk.
The flaw was originally reported as a low-risk information disclosure issue that could help with pre-attack reconnaissance, but Snyder’s latest update confirms the risk is much higher.
“An attacker can use this vulnerability to collect session information, including session cookies and session history,” Snyder said.
Stolen cookies and session information could eventually lead to a complete hijack of things such as Gmail accounts, Amazon.com and eBay credentials, and other sensitive Web-based accounts.
Although Firefox is not vulnerable by default (only users who have installed “flat” packed add-ons are at risk), this partial list of vulnerable Firefox extensions is very, very long.
It includes popular add-ons like Greasemonkey, Download Statusbar, Finjan Secure Browsing and YouTube It.
“If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging,” Snyder added.
Mozilla plans to ship Firefox 18.104.22.168 very soon — possibly by the end of this week — to patch this vulnerability.