I was awarded a Firefox Security Bug Bounty Award!
I just received an email from the head of the Mozilla security team that I have been awarded a Security Bug Bounty Award for an sg:critical bug I found in Firefox. For those that don’t know,
sg:critical is the highest level of severity and indicates the bug is an “exploitable vulnerability which can lead to the widespread compromise of many users.” That sounds pretty scary, but on the bright side
sg:critical means I get the maximum bounty of $3000 (and a t-shirt :). Very cool :).
I don’t want to share more since the vulnerability hasn’t been fixed yet, but as soon as it is I’ll give a full explanation.
In Firefox the
loadSubScript function loads code into the current security context, and since it’s called from an extension the code is loaded in the secure security context. In Firefox 3.6 (and now again in Firefox 11+) any unsecure objects passed in the
loadSubScript context are correctly wrapped in a XrayWrapper (
XPCNWrapper in Firefox 3.6).
In Firefox 4 a bug was introduced that missed adding these wrappers for
loadSubScript. So the secure loaded code was handed unsecure, unwrapped objects. If a target window (any web page) anticipated this bug they could check for the vulnerability in each user’s browser, and if they found it they could use it to do anything a Firefox extension could do (essentially gaining full access to the user’s system, files … practically everything).