An exploit for Firefox, reported 10 days ago and as of
yet still not patched, is giving attackers access to Google accounts,
including gmail. Firefox users are advised to use NoScript or turn off javacript
on unknown webpages and stay logged out of their Google Accounts until a fix is
issued.
A 302 redirect error in Google, discovered by bedford.org's Morgan Lowtech aka
tx, creates a domain-wide cross-site scripting attack allowing hackers to gain
access and modify Google user accounts including e-mails, contact lists and
online presence. An example of the redirect error is here, while bedford.org has
created a proof of concept link that reveals user Gmail contact lists. While
Mozilla has not issued a solution to the problem, application firewalls and
proxy servers can be used to block Windows Universal Resource Identifiers (URIs)
that contain the JAR protocol, while Web administrators can use a reverse proxy
to prevent malicious content from being uploaded. Users can download a NoScript
add-on for Firefox to block JavaScript and executable content from untrusted Web
sites, and can secure their Google accounts by remaining signed out whenever
possible.