Security hole - text buffer, middle mouse button, Firefox

The scenario:
  1. The User has opened window of the Firefox.
  2. The User selects some text on the terminal window by draggin mouse cursor with left mouse button pressed.
  3. The User inserts selected text into it's intended location using mouse middle button.
  4. The User does a lot of other things. And some time later.
  5. The User presses mouse middle button over opened Firefox window.
  6. Firefox tries to load web page using text pasted in step 5.
What have we got? An unintentional and, maybe, serious information disclosure.

In my case in the text buffer was ip address of host from which somebody did something not friendly on one of my pages. I've pasted (intentionally, of course) this ip address as parameter for some command line tools. And forgot about the text buffer with ip address inside.
Some time later I've pressed mouse middle button while having mouse cursor over Firefox window. Firefox started loading web page from offending ip address.

What information was disclosed?
  • the fact that I've read logs on the server and found interesting actions and ip address connected with them
  • the fact that I've done something with this address
  • most important, my own ip address
One can imagine more dangerous scenarios.

It's a word of caution, mostly for myself.

Update: to switch off Firefox behavior described in 6.: on page about:config set value middlemouse.LoadContentURL to false and restart browser.

No comments: