The polish hacker's ongoing audit of the open-source browser's design has turned up another potentially serious vulnerability that could allow the theft of user credentials from commonly used startup pages.
Zalewski said the flaw exists in the way Mozilla's flagship browser handles bookmarks. In certain scenarios, an attacker can exploit the bug to steal authentication cookies. Since Google is the default startup page on Firefox, this could lead to the exposure of GMail or Google Adsense authentication cookies.
Although the severity risk is low, Zalewski warned that social engineering tactics can be used to silently launch attacks against Google, MSN, AOL or credentials. "In an unlikely case, the victim is browsing local files or special URLs before following a poisoned bookmark, system compromise is possible," he added.
Mozilla security chief Window Snyder confirmed the next scheduled browser refresh will include a fix for that flaw, which could be exploited to make the browser appear as if were connecting to a bank, when in fact it would instead be receiving data from an online criminal. "We have not heard of any reported exploits. However, we're working to address the issue as quickly as possible to minimize the window of risk," Snyder said.
Firefox 220.127.116.11 is expected to ship on Thursday, February 22.