Story image

Aura Infosec discovers major Mozilla Firefox vulnerability

10 Apr 2019

A security consultant at trans-Tasman cybersecurity consultancy, Aura Information Security, is behind the discovery of a major vulnerability in popular web browser Mozilla Firefox that had the potential to expose millions of people’s private online images and documents.

Alex Nikolova, who is based out of Aura’s Wellington office, made the discovery whilst conducting a research project on the same-origin policy of various web browsers, and immediately reported it to Mozilla, who fixed the issue within days.

Alex discovered a bug that had the potential to allow hackers to access user’s images and documents stored in image format, without being detected.

“Usually when a user visits one site, for example, mypics.example, web browsers are supposed to prevent another site, say evil.example, from being able to request information from mypics.example using the user's login session on mypics.example. This is called a "same-origin policy" and it dictates how browsers should behave when it comes to cross-site requests. 

“This bug essentially prevents this same-origin policy from working and allows attackers to easily access private images (which should be accessible only to a logged in user) on any site accessed via Firefox, e.g. Facebook, Instagram, online banking, or even government sites which may store their documents in image file format.

“The image can be anything: from a scanned document to a QR code used for two-factor authentication, and can be in any format (e.g. png, jpg, svg),” she says.

The vulnerability was apparent and exploitable in Firefox (version 65.0) and while it was also present in Google Chrome, Nikolova says that it was never exploitable in the latter, making it a medium-level threat.

Aura general manager Peter Bailey says Alex’s find is just one example of the research coming out of New Zealand and Australia.

“We’re incredibly proud of Alex, research like this is a huge part of what we do at Aura as it encourages our team to be a part of the solution – rather than simply fighting fires or responding to attacks when they’ve already occurred.

“The cybersecurity talent in New Zealand and Australia is world-class, and Alex’s find is just one example of the incredible research coming out of our small but very important corner of the world,” says Bailey.

Aura Information Security sets aside up to 20% of consultants’ time per week for research-based projects.

The company’s consultants have been asked to present research findings at leading InfoSec events all over the world.

Talking about what drives her work and her passion for the industry, Alex notes that while discoveries like this help, it’s the constant evolution of the threat landscape that really thrills her.

“I see it as a puzzle to be solved, to learn how the criminal thinks and always stay one step ahead of them. It ties my love of technical stuff and coding, together with my interest in criminal psychological profiling.

“In my job, I have to get into the attacker's shoes, try to think like them. I'm always looking forward to being presented with the open question of ‘how do you go about owning every possible aspect of that infrastructure’ every time I start a new job.”

Her final advice to all businesses is: “Patch. Keep yourself up-to-date, all the time. Vulnerabilities come out every day and those who want to exploit your data don't need longer than that.”

Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Hands-on review: The ruggedly tough CAT S61 smartphone
The driveway beckoned me, so I dropped the phone several times.  Back in the study, close examination has failed to reveal a single scratch.
How printing solutions can help save the planet
Y Soft has identified five key ways organisations can become more economical and reduce their environmental impact.
Is NZ’s tech industry starting to mature?
Technology is New Zealand’s fastest growing and third biggest industry.
How Kiwibank aims to enable greater digital inclusion
"Online tools can offer a more convenient and cheaper customer experience, but there can be barriers to usage."
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Inland Revenue to shut down services later this week
“There’s never an ideal time to shut down the tax system but we’re confident the changes will make any inconvenience worthwhile.”
NZ managers prefer intuition to big data, Massey study finds
Many senior managers in New Zealand businesses have an inherent distrust of big data, opting instead to rely on their own intuition.