Firefox Exploit Discovered

Browser exploit found to search for sensitive files.

On August 5th, it was discovered that a news site in Russia contained an advertisement which was utilizing an exploit in Firefox to search for and upload sensitive files from the user’s computer and uploading them to a server appearing to be in Ukraine.  Security updates that patch this vulnerability were released by Mozilla and all users of the Firefox browser were encouraged to update to version 39.0.3.

The origins of the vulnerability stem from the Firefox PDF viewer’s interaction with the piece of the Firefox browser that enforces JavaScript context separation (“same origin policy”).  Firefox for Android doesn’t contain the PDF viewer and therefore is not vulnerable.  The exploit would inject a JavaScript payload into local file context allowing for the searching of and uploading of potentially sensitive local files.

This exploit leaves absolutely no trace on the machine.  Anyone using Firefox on Windows or Mac/Linux are urged to change passwords and keys found on the typically developer focused files such as subversion, s3browser, and Filezilla configuration files from FTP clients on Windows.  Linux/Mac variants would search for global configuration files such as .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and any files with “pass” and “access” in the names as well as shell scripts.

If ad-blocking software is installed, it is possible that users were protected depending on how and which filters were being utilized.