“This can allow for an exploitable crash,” reads Mozilla’s latest patch note. “We are aware of targeted attacks in the wild abusing this flaw.”
Samuel Groß, one of the security researchers who found and reported the bug, confirmed he did so way back on April 15 — over two months ago.
The first public fix then landed about a week ago,” Groß tweeted earlier today. He then said security fixes for Firefox are usually held back until the next full release is prepared to launch.
According to Groß, hackers are able to exploit the bug for “Remote Control Execution“, or RCE, but it would only be effective under certain conditions.
RCE usually affords attackers complete control over a targeted web server. In this case, considering the contents of Mozilla’s patch notes, it seems major cryptocurrency exchange Coinbase has been targeted directly.
“However, most likely it can be exploited for [Universal Cross-Site Scripting(UXSS) attacks] which might be enough depending on the attacker’s goals,” Groß continued.
UXSS attacks often lead to loss of sensitive information, such as usernames, passwords, and other critical credentials.
So far, no specific details of how the bug has been exploited have been released. Hard Fork has reached out to Coinbase for more information, and will update this piece should we receive a reply.
Mozilla has now released a patch, and urged users to update their browsersas soon as possible.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.