Michal Zalewsky has been on a role lately - this time with overwriting cookies on other people’s domains in Firefox. Yup, Jordan Wiens sent this over to me and apparently a bug has already been filed by Mozilla to fix this but this has some interesting security implications.
The trick isn’t too complex, he is essentially using a null separator which confuses Firefox, but the implications mean that you can do session fixation across domains or invalidate cookies, etc. Further there may be other nasty things you can do since Firefox may not know where it is (allowing you unrestricted XMLHTTPRequests). Think of this as the mhtml bug for Firefox. Nasty. Great work Michal!