FIREFOX HAS A BUG that's been around for over a decade, according to Forcepoint's security boffins, who have finally flagged the flaw to Mozilla.
The bug is an odd one and arguably not something that's much of a threat, given it has gone unreported since 2007.
The flaw is triggered when someone, for some reason drags, an email from Microsoft Outlook and drops it into the main window area of Firebox.
While the likes of Edge, Chrome, and Safari kick up a fuss, resulting in a semi-nonsense message for normal users, Firefox does something a little different.
The browser squashes all the email details up and serves up the text "fromsubjectreceivedsizecategories" which it converts into a URL and opens in a new tab. So far, so meh.
But it turns out the URL in English leads to a registered domain that has a landing page that redirects to malicious content and sites, some including Apple or crypto-related scams.
So yeah, it's not exactly a pleasant bug, but at the same time, it's arguably not one you're likely to encounter unless you're a bit clumsy with your mouse.
"The action involved may be considered something of an edge case (at least when performed deliberately), but mistakes happen and, in this case, can leave you at the mercy of the content on some unexpected URLs," said Forcepoint.
"Ultimately, this goes to show how easy certain use cases are to miss during testing. Naturally, we would advise companies to do some basic sanity checking about how their applications behave with drag and drop operations - on both the submitting and receiving end of data, but also that users be vigilant with what they drag and drop."
Mozilla has a fix in the works and it'll be rolling it out in early September. But it does raise an eyebrow as to why the bug in Firebox went unnoticed for quite some time especially given the healthy bug bounty the organisation offers.
As non-hackers, we don't have the answer but white and black hats feel free to email in. µ
Privacy-aware office worker slams 'authoritarian' AFR tech
Flagship packs a 6.26in screen, quad-cameras and, er, Android Pie
Like, subscribe, and run away with my data
Tor of duty of care