Firefox users, update now, file stealing exploit found

[deepceleron]

Firefox 39.0.3 was released and fixes a huge 0-day flaw in the built in PDF reader that allows a site to steal files from a PC - for you this means wallet files.

"The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files".

https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

It was found in ads on a news site that actively searched for and stole FTP client and account information along with bash history and scripts. It is as easy to imagine drive-bys taking wallet files or anything the user can access.

The exact mechanism is not detailed without having access to the CVE. Mitigations such as moving or renaming the wallet file may not be effective, as searching for files is possible. Disabling the built-in PDF reader via about:config may not be effective either, so update.

[1714885433]

1714885433

[|Bitcoin|]

I use chrome so there is no need to worry.  Even if I use firefox I have my wallet on my phone. Nothing to worry for me.

[linkgostar]

i used chrome too. anyway thank for this News

[mindrust]

Thanks for letting us know that you are safe against this exploit,  @|Bitcoin| . Be safe.

As a 39.0 user, thanks to the original poster for letting me know. I'll update right away.

[Cryptock]

Holy crap. Thanks for the heads up

[countryfree]

Thanks for info, but my Firefox is tuned for auto updates, so there's no risk. One nice Firefox's feature is to allow profiles. I have one profile dedicated to BTC, banking and online shopping, which I'm not using now. That helps make my computer a bit more secure. I keep on thinking Firefox is the best browser around. And I'm not sharing anything with Google.

[unamis76]

I've read this before and immediately pictured my empty wallet files on my desktop being stolen Anyways, I'm on Chrome. But I'm also worried as it might have the same or a similar exploit. I hope it is discovered if it's there...

Good thing they promptly corrected the issue after being discovered.

[White sugar]

just use noscript and you will be fine

also is this for all OS's that have the reader or just some?

[rokkyroad]

linux users can use Firejail to further protect themselves. Firejail sandboxes browsers and others.

https://l3net.wordpress.com/projects/firejail/

[Xian01]

I've read this before and immediately pictured my empty wallet files on my desktop being stolen

LPT: Ensure that your wallet is encrypted with a redonkulously long password.

[Superhitech]

Thanks for the heads up, updated my firefox. 

[Foxpup]

just use noscript and you will be fine

No, you won't. The PDF viewer script is internal to Firefox and is not blocked by NoScript. Please don't post dangerous false information for the sake of your signature campaign.

[Holliday]

If you store bitcoin private keys on a computer which is also used to browse the web (or even connected to the internet for that matter), you are probably going to have a bad time.

[LiteCoinGuy]

If you store bitcoin private keys on a computer which is also used to browse the web (or even connected to the internet for that matter), you are probably going to have a bad time.

yeah, you should not store everything in a hotwallet on your pc  

you could use a hardware wallet:

https://bitcointalk.org/index.php?topic=899253.0