-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Petro D. Petro,

Fascinating work.  I will try to understand it when Juha provides a
digest on his security team website.

- -al

On Tue, 18 Nov 2008 16:26:13 -0500 Chris Evans
<[EMAIL PROTECTED]> wrote:
>Hi,
>
>Firefox 2.0.0.18 fixes a cross-domain theft of image data. Firefox
>3
>unaffected. It's another interesting case where a redirector
>confuses the
>browser about the true origin of a piece of content. If evil.org
>hosts a
>redirector, e.g. evil.org/redir, and an image is loaded via this
>redirector,
>the image will be treated as a same-domain image. In this event,
>the image
>pixel data may easily be stolen by rendering the image to a canvas
>and using
>the getImageData() JavaScript API.
>
>Advisory: http://scary.beasts.org/security/CESA-2008-009.html
>
>Blog post:
>http://scarybeastsecurity.blogspot.com/2008/11/firefox-cross-
>domain-image-theft-and.html
>
>Cheers
>Chris
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkkjNfYACgkQ8J2EGU1ixm7pswP8DZyojyrOATc1MWgyl8x9pwmcv+eb
Fe4TfM807F6QyPYD/S3sFt30dFjxR4Y00UgFCLMuig23WFGHey8x81x+kzOCXPEYCerr
43xXFEHtgpAJXSusAewGtyC1rhF1ox7yE+nptGDfo16xhMxUwOQbgJxrXkffwrStOCp1
NCpyVHM=
=b0a7
-----END PGP SIGNATURE-----

--
Click for free info on getting an MBA, $200K/ year potential.
http://tagline.hushmail.com/fc/PnY6qxsZwUEc5DoIOvJcoaOATuGbppGqGc2rd3tXUsJpcramttFQ8/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to