Mozilla has issued a security alert warning that hackers are taking advantage of a serious bug in their Firefox browser, which can be used to take over the entire computer.
The company has warned that crypto owners face the highest level of an imminent attack, the Next Web reports. Firefox users have been asked to patch their browsers.
“This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.”
The company did not divulge more details about the bug. So it still remains mysterious how the hackers have been exactly launching their attacks.
Security Researchers Discover the Bug
The discovery of the bug was credited to a security researcher attached to Google Project Zero security team, Samuel Groß as well as Coinbase security team.
Groß claimed that he reported the bug about two months ago on April 15. In a tweet, the researcher explained that the initial public fix came about a week ago. He explained:
“I found and then reported the bug on April 15 but the first public fix then landed about a week ago.”
The bug can be exploited for RCE but would then need a separate sandbox escape. However, most likely it can also be exploited for UXSS which might be enough depending on the attacker's goals. Looking forward to more details from @mozsec and @coinbase
— Samuel Groß (@5aelo) June 19, 2019
Groß explained that the delay in fixing the vulnerabilities could have been occasioned by need to have the next full release ready for launching as Firefox fixes its flaws by releasing a new version.
As per Groß’s explanation, hackers can exploit the bug for RCE [remote code execution. However, they would be required to meet various conditions. In most instances, RCE allows attackers to wholly take control of a specific web server.
Based on who reported the security flaw, it can safely be assumed that the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß also indicated that he did not have details about how the zero-day was used, and said that Coinbase Security could offer more details about the in-the-wild attacks. Groß explained further:
“However, most likely it can be exploited for [Universal Cross-Site Scripting (UXSS) attacks] which might be enough depending on the attacker’s goals.”
In most instances, UXSS attacks results to loss of vital data and information like login details, passwords as well as important credentials.
At the moment, there are precise details have been made public on how the bug has been used by unscrupulous individuals.
The US Cybersecurity and Infrastructure Security Agency has also issued an advisory, which warns, an attacker could exploit this vulnerability to take control of an affected system. Mozilla users have been advised to update their browsers to avoid any attack.
Do you think hackers have already exploited the Mozilla bug to steal cryptocurrencies from unsuspecting crypto owners? Let us know in the comments section.