Security researchers at Google and Coinbase discovered a zero day exploit on the Firefox browser that would allow an attacker to remotely execute code on an underlying operating system, as reported by ZDNet, June 18, 2019.
First Exploit on Mozilla Since 2016
Firefox is generally considered one of the safest browsers, with their last zero day vulnerability occurring in December 2016.
In the latest, hackers were able to exploit the browser’s integrated Tor to expose user identities of the privacy-enabled browser. It was initially thought to be affecting Coinbase users, but a clarification issued confirmed the zero day was being used to target the employees of Coinbase instead.
Attackers would send a spear phishing email to lure victims to a web page, where if they used Firefox, the page would download and run an info-stealer on their systems, giving them the ability to collect and use browser passwords.
On June 18, 2019, the two exploits were detected and blocked by Coinbase security. The first was the attempt to remotely execute code, and the second zero day was a sandbox escape for the attacker. Mozilla issued a patch within a day, but this bug was reported by a Google Project Zero security researcher almost two months ago, which is surprising given Mozilla’s distaste for Google.
While it is uncertain as to how the attackers got a hold of the remote code execution bug, ZDNet speculates that the attackers either discovered the bug on their own, through an insider, or they compromised an employee’s account to access the Bugzilla portal’s security vulnerability section.
Two other bugs were chained onto a single exploit and deployed against Coinbase staffers. Thankfully, Coinbase employees acted swiftly, detecting and thwarting the attack in a quick response. If successful, the hacker could have gained access to Coinbase’s backend network and launch a full-scale attack on the network, stealing user funds and personal information with little resistance.
This tactic has been used numerous times in the past and has led to huge losses at many cryptocurrency exchanges.
After analyzing the malware, there was little evidence of the exploit targeting customers. These attacks, however, are common attempts to penetrate an exchange’s backend servers and hit the customers indirectly.
In other news, Mozilla has recently been targeted by crypto jackers, to which they rapidly responded with a patch less than 48 hours after discovering the bug.