The party is ON! Join us at TNW Conference 2021 in Amsterdam for face-to-face business!

The heart of tech

This article was published on August 7, 2015

Update Firefox now: major vulnerability could steal your data

Update Firefox now: major vulnerability could steal your data
Owen Williams
Story by

Owen Williams

Former TNW employee

Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their word Owen was a reporter for TNW based in Amsterdam, now a full-time freelance writer and consultant helping technology companies make their words friendlier. In his spare time he codes, writes newsletters and cycles around the city.

A major vulnerability discovered by Mozilla lurking in an advertisement shown by a Russian news site could steal your files and upload them to a Ukrainian server without you ever knowing.

The flaw exploits Firefox’s PDF viewer and the JavaScript context to inject a script that can search for and upload local files. All you need to do is load the page with the exploit and it’ll silently steal files in the background.

Interestingly, the files it searches for on the local system are mostly developer focused. On Windows, the attack specifically looks for FTP configuration files, subversion, .purple and other account information. On Linux, it looks for global configuration files and user directories.

Mac users aren’t specifically targeted by the attack that was discovered, but wouldn’t be immune if targeted.

The attack doesn’t appear to be widespread right now, having only been spotted on a Russian ad network, but it’s likely only a matter of time until it spreads as more people discover it.

All versions of Firefox are affected and Mozilla says that to protect against the exploit you should update to version 39.0.3 right now. Enterprise users can patch to 38.1.1.

Firefox exploit found in the wild [Mozilla blog]

Image via WallpapersHunt