Thursday, 25 March 2010

Serious security flaw in Personas for Firefox

Firefox proves it's capable of beating
Internet Explorer in silly exploits.
With the release of Firefox 3.6 and the automatic inclusion and enabling of Personas, the popular alternative to Microsoft's Internet Explorer is showing signs that it's no better. For the unaware, Persona is a feature of Firefox that allows one to 'theme' their browsers with images. Once a Mozilla-developed addon, it's now included, installed, and enabled by default in the latest browser release.

The problem with the addition to the default install of Firefox is that it introduce a gaping hole.

The Problem

Besides it being shoved down the throat of the unsuspecting installer, it would not take much effort to introduce graphic images or even worse potential code into the Persona, thus creating grief for the user. Shortly after the release of 3.6, an exploit was found where a website could potentially hijack the displayed image and then display something else. This is done without the user's intervention or permission.

Persona appears to rely on a set, arbitrary list of domains that are permissible to make changes based on specific code embedded on a theme site. This essentially means that there are pages that are capable of changing the look based on an action such as a MouseOver or OnClick.

However, just as the previously-mentioned exploit demonstrated that Persona made no authenticity of the data being fed and thus made a cross-site scripting (XSS) attack possible, it has now become apparent that there is a man-in-the-middle (MitM) attack that is doable. By simply redirecting the unencrypted, unverified traffic to an alternative server, one can simply perform the same functions that of the Persona website itself.

The lack of forced-SSL creates this problem as Firefox and Persona are unable to differentiate between the two servers. It is because of this that the 3.6 release is still subject to a serious security hole that remains to be patched. If one were to discover a method to have execute code instead, this could create a rather large security problem that would obviously be quite embarassing.

To add to this, the problem is worse in browsers 3.5 and lesser that have the addon as opposed to the integrated feature. In this case, there are multiple domains that the extension looks for and permits to changing the look and feel.


By simply forcing all traffic to the Persona site from a virtual machine to one of my personal servers, I was able to create an environment where Firefox 3.6 presumed it was on the appropriate website and enabled me to use the MouseOver feature to change the Persona's theme.

Click to enlarge and see the effects of the problem.

As you can see, the page has been modified and even though it goes through with the event trigger without batting an eye. No modification or changes had been made to the browser prior—this is a stock browser.

Affected software

All Mozilla 3.6 releases up to 3.6.2, and any pre-3.6 release that includes the Persona addon. This is not operating system-specific either.

The Mozilla Foundation has been contacted and the problem is filed under bug 554856.


It appears that disabling Personas in 3.6 requires a significant amount of effort as it's included automatically and without any means of exemption during install. The simplest solution until Mozilla addresses this would be to either drop to a 3.5 release without the extension or stop using the browser all together.


Mozilla can address this in a few ways:

  1. Force all Personas to require user permission before installation.

  2. Just like how extensions are installed via Mozilla's addons page, enable forced-SSL and do not allow Personas to be installed without.

  3. Have all Personas signed.

  4. Allow the user to completely disable Persona with ease.

Point two should be one of the most important things done to prevent this from becoming a further problem.


Because of this flaw, I advise to take the workaround to heart. I would like to thank aydiosmio on 2600net for initially pointing out the flaw to me. Be this a reminder to all to not allow software to update without your permission.


  1. بعد يوم طويل من التعب والعمل الشاق يذهب الإنسان إلى بيته وملجئه الوحيد للحصول على قسط من الراحة، ولتحقيق هذه الراحة يجب عمل عدة أشغال حتى يشعر أصحاب المنزل بالأمان والسكينة، لذلك أول ما على الإنسان أن يعمله هو تجهيز المنزل وإعداده بالطرق السليمة، فالمنزل كأي جماد معرَّض للتلف مع مرور الوقت بسبب العوامل والظروف البيئية القاسية المحيطة به مثل درجة الحرارة العالية، والأمطار، والرطوبة، وأكثر ما يتعرض لتلك العوامل هو الأسطح الخارجية الحامية للمنزل من الأخطار والهلاك، وهنا يجب أخذ كافة الاحتياطات والتدابير اللازمة بخصوص الأمن والسلامة لأنّها من الضروريات والأسس الواجب تحقيقها للشعور براحة البال على المدى البعيد، وللقيام بذلك يلجأ العديد من الناس إلى طرق عزل الأسطح سنوضحها في هذا المقال.

    شركة عزل اسطح
    شركة عزل اسطح بحائل
    شركة عزل خزانات بحائل

  2. - الخدمات التي نقدمها لكم هي من أرخص الأسعار التي تناسبك عزيزي العميل لذلك لا تتردد للحظة في استخدام شركة رش المبيدات
    شركة مكافحة حشرات بالرس
    شركة رش مبيدات بالرس
    ارخص شركة مكافحة حشرات
    شركة رش مبيدات بسكاكا