Mozilla Foundation Security Advisory 2012-69
Incorrect site SSL certificate data display
- Announced
- August 28, 2012
- Reporter
- Mark Poticha
- Impact
- High
- Products
- Firefox, Firefox ESR, SeaMonkey
- Fixed in
-
- Firefox 15
- Firefox ESR 10.0.7
- SeaMonkey 2.12
Description
Security researcher Mark Poticha reported an issue where incorrect SSL certificate information can be displayed on the addressbar, showing the SSL data for a previous site while another has been loaded. This is caused by two onLocationChange events being fired out of the expected order, leading to the displayed certificate data to not be updated. This can be used for phishing attacks by allowing the user to input form or other data on a newer, attacking, site while the credentials of an older site appear on the addressbar.