Security watchers are concerned that a protocol handling flaw in Firefox could have implications for the security of data held within Google and, possibly, other web applications.

The flaw, involving the handling of the "jar:" protocol by Firefox, gives rise to cross-site scripting attacks. No patch is available through there are a number of workarounds (such as blocking URIs that contain "jar:" using a reverse proxy or application firewall). For home users, Secunia advises users to avoid following untrusted "jar:" links or visiting untrusted websites.

The trick might be used to conduct cross-site scripting attacks on sites that allow a user to upload certain files, such as .zip or .png.

As the GNUCitizen blog notes application which allow the upload of JAR/ZIP files are potentially vulnerable to a persistent Cross-site Scripting as a result of the bug. Web mail clients, collaboration systems, document sharing systems are all potential targets on attack.

The attack could be used to steal cookie-based authentication credentials, for example. GNUCitizen has published a proof of concept demo that illustrates how a user's contact book in Gmail might be accessed using the approach.

Suitably the results page of the demo is illustrated with a picture of insufferably annoying (and arguably racist) Star Wars character Jar Jar Binks. ®

Related stories

• Most home routers 'vulnerable to remote take-over' (15 January 2008)
• Firefox update puts lid on Jar bug (27 November 2007)
• Firefox version 3 makes beta (20 November 2007)
• How to expose Gmail contacts without really trying (27 September 2007)
• Unholy trinity of flaws put Google users at risk (24 September 2007)
• Google's Lemon squeezes out web app bugs (18 July 2007)
• YouTube 'riddled with 40-plus security vulnerabilities' (20 June 2007)
• Analysis Google security vulnerabilties stack up (3 June 2007)
• Insecure plug-ins pose danger to Firefox users (1 June 2007)
• New vulnerability strikes heart of Web 2.0 (3 April 2007)