bL4nkcode (OP)
Copper Member
Legendary
 Offline
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
|
 |
June 19, 2019, 10:56:49 AM
Last edit: June 19, 2019, 02:31:13 PM by bL4nkcode Merited by suchmoon (4), LoyceV (4), dothebeats (2), Mr. Big (2), bones261 (2), vapourminer (1), pooya87 (1), Lucius (1), Quickseller (1), DdmrDdmr (1), bitmover (1), o_e_l_e_o (1) |
|
I just saw this article, though I'm not a firefox user but to those who are using it, UPDATE your firefox browser to the latest patch version now. According to the article a zero-day flaw was exploited It’s not clear exactly what hackers are attempting to gain by actively exploiting this flaw, but stealing cryptocurrency is one guess
A zero day flaw is A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
Btw, dunno what board should post this, so I just let this thread here, feel free to report to mod to move the thread. moved. |
|
|
|
|
|
|
|
|
|
|
|
|
|
Bitcoin mining is now a specialized and very risky industry, just like gold mining. Amateur miners are unlikely to make much money, and may even lose money. Bitcoin is much more than just mining, though!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18507
|
|
June 19, 2019, 12:26:43 PM
Last edit: June 19, 2019, 02:08:00 PM by o_e_l_e_o Merited by suchmoon (4), LoyceV (1) |
|
More information here: https://www.cybersecurity-help.cz/vdb/SB2019061805?affChecked=1A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system. An exploitable crash is much worse than it sounds, and they potentially allow an attack to run arbitrary code on your system. This is a serious issue and you should update immediately. I think this kind of post should probably go in Beginners and Help since it is not directly crypto related, but a lot of people will want to know about it. |
|
|
|
|
bitmover
Legendary
Offline
Activity: 2282
Merit: 5887
bitcoindata.science
|
|
June 19, 2019, 12:36:50 PM |
|
I think this attack could work just if you have cryptocurrencies held in web wallets , right? if no browser is involved in your cryptocurrencies operations (like electrum / ledger nano) i see no much problem. I just saw this article, though I'm not a firefox user but to those who are using it
Just curious, which browser do you use? I think firefox is the best out there, better privacy than chrome (which is almost a spyware), and have a bigger development team than Brave (which is the natural competitor in privacy terms). Maybe the new Edge may look interesting (as it is chromium based), but it is not stable yet. I like this website a lot, and firefox is the top one recommended https://www.privacytools.io/browsers/ |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
Lucius
Legendary
Offline
Activity: 3220
Merit: 5630
Blackjack.fun-Free Raffle-Join&Win $50🎲
|
|
June 19, 2019, 12:47:49 PM |
|
Thanks for the warning  Firefox was my favorite browser for years, but about a month ago they add some new feature in browser because of which I had to stop using it. What they do is to in order to reduce using of RAM, to unload any open page in tabs, so if user is switching between tabs that page will need to reload every time which is pretty irritating. I try to disable that option which is called "Suspend Idle Tabs", but without success. We know that Chrome is had a similar problem a few months ago, too bad that Firefox did not patch this exploit before hackers discovered it. However this will not affect too many users, all statistic show that less then 10% is using Firefox. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
bL4nkcode (OP)
Copper Member
Legendary
Offline
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
|
|
June 19, 2019, 12:53:55 PM |
|
I think this kind of post should probably go in Beginner's and Help since it is not directly crypto related, but a lot of people will want to know about it.
Just moved... Just curious, which browser do you use? I think firefox is the best out there, better privacy than chrome (which is almost a spyware), and have a bigger development team than Brave (which is the natural competitor in privacy terms). Maybe the new Edge may look interesting (as it is chromium based), but it is not stable yet.
I frequently use brave for browsing and accessing favorite sites while only use firefox for my work--developing websites. Never think of using edge as of now. |
|
|
|
|
|
rhomelmabini
|
|
June 19, 2019, 01:34:07 PM |
|
Just updated my Firefox browser to the latest version 67.0.3 but mine is new as it just been installed recently from version 67.0.1 but just to be sure I've updated it to the new one. Seen this across telegram channels and group too about a possible attack, good thing it has been found by the Coinbase Security Team and Samuel Groß, a security researcher with Google. @bL4nkcode I know your Filipino as well, I guess it will be best too to post this onto our local board for some notice, I guess some users are using Firefox browser too in there, the more it is disseminated throughout the forum the better. |
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18507
|
I think this attack could work just if you have cryptocurrencies held in web wallets , right? No. An exploitable crash allows an attacker to execute code outwith the browser. Your entire system is potentially at risk. So will Firefox install updates automatically with standard installation or is this something you need to check for updates in settings? Click Help -> About Firefox. The latest version is currently 67.0.3 (assuming you are not using Beta or Nightly builds). If an update is available, a click box will be present prompting you to download it, and it will then install automatically after you restart Firefox. If you have the latest version already, instead of the click box you will see the words "Firefox is up to date". What they do is to in order to reduce using of RAM, to unload any open page in tabs, so if user is switching between tabs that page will need to reload every time which is pretty irritating. You should be able to disable this by going to about:config, searching for browser.tabs.unloadOnLowMemory, and changing from "true" to "false". |
|
|
|
|
bL4nkcode (OP)
Copper Member
Legendary
Offline
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
|
|
June 19, 2019, 02:23:18 PM |
|
@bL4nkcode I know your Filipino as well, I guess it will be best too to post this onto our local board for some notice, I guess some users are using Firefox browser too in there, the more it is disseminated throughout the forum the better.
Thanks for the heads up, never thought of posting it there earlier. Will do that. |
|
|
|
|
|
naska21
|
|
June 19, 2019, 03:40:25 PM |
|
Well, sandbox your FF or any browser so that you can go about your day feeling safe. The essential point in this case is the lack of menace to your OS on the part of zero-day exploit (no matter which one is it) therefore your browser can be updated at any time.
|
|
|
|
|
LTU_btc
Legendary
Offline
Activity: 3038
Merit: 1330
Slava Ukraini!
|
|
June 19, 2019, 08:03:38 PM |
|
Thanks for warning. I have enabled auto updates on Firefox. But now I just checked to be sure that I have latest version of browser installed. And I found that I have 67.0.2 version, not sure why 67.0.3 wasn't installed until now. So, I just updated it.
I'm not sure, but in recent months I got impression that various vulnerabilities appears on browsers more often than in past.
|
|
|
|
dothebeats
Legendary
Offline
Activity: 3626
Merit: 1352
Cashback 15%
|
|
June 19, 2019, 10:00:34 PM |
|
I have always used FF over Chrome and Edge for banking-related services and browsing that I need for the last few years. Never have encountered a single problem with them. I'm just wondering if I'm at risk considering that I did browse my bank and logged in using FF yesterday? I have already updated to the latest version and just wondering whether online-related services are also exploited. Good thing is I don't store wallets on my online machines, not even once.
|
.
.HUGE. | | | | | | █▀▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
CASINO & SPORTSBOOK
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄▄█ | | |
|
|
|
hatshepsut93
Legendary
Offline
Activity: 2954
Merit: 2145
|
Stuff like this is why crypto users, especially those with serious amounts, should research security on their own. Big wallets should always be cold wallets, and when it's necessary to do some online operations, like trading on exchange, it's better to have a separate device for that purpose only. So, it's a good idea to grab and old PC or Laptop, install the freshest Linux, and use it for online wallets and nothing else - no browsing, no emails, no programs. This way even zero days like this one will be unlikely to hit you, as long as the exchange site is not hacked - but that is something that will always be outside of your control.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
June 20, 2019, 03:17:52 AM |
|
usually when you report a vulnerability in an application it is best to include the affected version(s) in your title or the opening post. this helps users reading the board in the future to quickly check their app's version and see if it concerns them or not.
in this case versions below 67.0.3 are vulnerable.
P.S. this is just another case of "cold storage not affected" which shows importance of using it.
|
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
|
jademaxsuy
|
|
June 20, 2019, 03:58:10 AM |
|
Thank you for the quick alarm OP. I am always using firefox browser and I am not aware of this after I have read your thread. I am thankful that there are users here and a forum I can rely on especially in terms of technical aspects. This is why I always visit also this section and the meta section to follow for more updates in the cryptocurrency and in the forum.
|
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18507
|
|
June 20, 2019, 10:14:54 AM |
|
I'm just wondering if I'm at risk considering that I did browse my bank and logged in using FF yesterday? An "exploitable crash", as this issue was, is just that - a way to crash your browser which results in arbitrary code being run on your machine. If your browser did not crash, then you personally were not attacked. If you have now updated, then it is no longer an issue for you. wondering whether online-related services are also exploited. It is possible there are companies or services still using an older version of Firefox who would still be at risk of being attacked, but there is nothing you or I could do about that. So, it's a good idea to grab and old PC or Laptop, install the freshest Linux, and use it for online wallets and nothing else - no browsing, no emails, no programs. Although that is good advice in general, it wouldn't necessarily have protected against this attack. This attack was via the official (and until recently most up-to-date) version of Firefox. It was used in the wild before being patched. The same kind of issue could arise with any other browser (and indeed, it has), or indeed with any OS or any other software which you use, even official and up to date versions. Having a clean install doesn't guarantee safety. |
|
|
|
|
Lucius
Legendary
Offline
Activity: 3220
Merit: 5630
Blackjack.fun-Free Raffle-Join&Win $50🎲
|
|
June 20, 2019, 12:54:17 PM |
|
You should be able to disable this by going to about:config, searching for browser.tabs.unloadOnLowMemory, and changing from "true" to "false".
Thanks for this information  I try some other options in about:config which I found on internet and which should have fix this problem, but nothing is work at that time. I will try with your advice, but I must say that some other browsers I use now (Brave, Opera and even Chrome) are working much better then Firefox in terms of speed and loads of RAM. Yet this is just my subjective thinking, and I'm sure personal experience depends on user hardware and OS. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
|
Theb
|
|
June 20, 2019, 01:23:05 PM |
|
Reports are already showing that hackers are able to exploit the bug for Remote Control Execution which makes the hacker gain control with their targeted web servers. Rumors are also telling that Coinbase might be the direct target with this kind of attack but there are still no reports of stolen fund from its users or for any websites out there yet.
|
|
|
|
|
