Friday, March 16, 2012 security vulenrability

Recently, I'v discovered an XSS (Cross-site scripting) vulnerability in add-on for browsers. is a password manager that keeps password in the cloud in a secured manner.

The vulnerability allow a malicious site owner to craft a special field, which in turn, if and when the user will decide to remove that field from that vault, an arbitrary JavaScript code would be executed. The code would be able to access the runtime environment of the plugin - thus to submit to external site sensitive information about users. acknoladge the vulenrability, and issued a patch in a short amount of time. add-ons are no longer affected by the issue, for this moment. They also publicly credited my about the disclosure at

1 comment: