The zero-day bug, rated "less critical" on Tuesday by vulnerability monitoring firm Secunia, can be exploited to dupe users into disclosing confidential information. First reported by researcher Charles McAuley on the Full-Disclosure mailing list, the vulnerability affects both Microsoft Internet Explorer (IE) and Mozilla Firefox browsers running on Windows, Macintosh and Linux platforms.
The flaw is caused by a design error in which script can "cancel certain keystroke events when entering text," according to a Secunia advisory. The vulnerability can be exploited to cause users to instead type the keystrokes into a hidden file upload box on the same page, allowing a malicious attacker to capture the information.
"The problem is that in both IE and Firefox, you can filter the keystrokes entered in a form and ‘bounce’ the input over to the file input box, and then bounce back to (the) previous text entry, making it appear as if nothing has happened," McAuley, of Imperfect Networks, said. "Yes this is minor, but a conceivable avenue of attack."
Mozilla advised Firefox users to upgrade to the latest version of the browser, which fixes a dozen security vulnerabilities.