Bitcoin Forum
December 12, 2024, 11:52:13 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > Another FireFox vulnerability that can hit WebWallets (update 20-June)
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Another FireFox vulnerability that can hit WebWallets (update 20-June)  (Read 266 times)
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3696
Merit: 6686


Crypto Swap Exchange


View Profile WWW
June 19, 2019, 01:19:15 PM
Last edit: June 20, 2019, 08:30:14 PM by DaveF
Merited by Pmalek (1), DaCryptoRaccoon (1)
 #1
Yet again why are you using web wallets?
But, if you are using web wallets or an exchange that relies on JavaScript update your FireFox to 67.0.3 67.0.4

A bit more info here but you have to do another update.
https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/

-Dave
█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████		▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
bitmover
Legendary
*
Online Online

Activity: 2520
Merit: 6370


Wheel of Whales 🐳


View Profile WWW
June 19, 2019, 02:10:32 PM
 #2
Quote from: DaveF on June 19, 2019, 01:19:15 PM
Yet again why are you using web wallets?

This is for me one of the main problems of Ethereum in my opinion. They don´t have a proper desktop wallet.
Users are always forced to use something like metamask, mycrypto, myetherwallet or whatever browsing solution. Even Hardware wallet such as Ledger Nano relies on those software to make transactions.

In bitcoin you really shouldn't be using any web or browser wallets (such as addons) at all.
███████████▄
████████▄▄██
█████████▀█
███████████▄███████▄
█████▄█▄██████████████
████▄█▀▄░█████▄████████
████▄███░████████████▀
████░█████░█████▀▄▄▄▄▄
█████░███░█████████▀▀
░▄█▀███░░▀▀▀██████
▀███████▄█▀▀▀██████▀
░░████▄▀░▀▀▀▀████▀		 

█████████████████████████
████████████▀░░░▀▀▀▀█████
█████████▀▀▀█▄░░░░░░░████
████▀▀░░░░░░░█▄░▄░░░▐████
████▌░░░░▄░░░▐████░░▐███
█████░░░▄██▄░░██▀░░░█████
█████▌░░▀██▀░░▐▌░░░▐█████
██████░░░░▀░░░░█░░░▐█████
██████▌░░░░░░░░▐█▄▄██████
███████▄░░▄▄▄████████████
█████████████████████████
█████████████████████████
████████▀▀░░░░░▀▀████████
██████░░▄██▄░▄██▄░░██████
█████░░████▀░▀████░░█████
████░░░░▀▀░░░░░▀▀░░░░████
████░░▄██░░░░░░░██▄░░████
████░░████░░░░░████░░████
█████░░▀▀░▄███▄░▀▀░░████
██████░░░░▀███▀░░░░██████
████████▄▄░░░░░▄▄████████
█████████████████████████		.
...SOL.....USDT...
...FAST PAYOUTS...
...BTC......TON...
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 2856
Merit: 3071


https://bit.ly/387FXHi lightning theory


View Profile
June 19, 2019, 02:31:08 PM
 #3
Yeah I have to use mew on my trezor and it annoys me that there's no address verification like there is with bitcoin.

They used to enable noscript by default on Firefox, those were good times...
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18771


View Profile
June 19, 2019, 07:49:40 PM
Merited by mprep (1)
 #4
Quote from: DaveF on June 19, 2019, 01:19:15 PM
But, if you are using web wallets or an exchange that relies on JavaScript update your FireFox to 67.0.3
This doesn't just affect web wallets. It can affect your entire machine, including all wallets and any other sensitive data you may have on it. All Firefox users should upgrade immediately.

An "exploitable crash", as in the case of this bug, allows arbitrary code to be transferred and then ran outside of your browser. An attacker could do anything they want to your system after that if you have lax security measures in place. You can read more here: https://www.cisecurity.org/advisory/a-vulnerability-in-mozilla-firefox-could-allow-for-arbitrary-code-execution_2019-067/

The bug was initially reported by the Coinbase Security Team, but they haven't yet said whether they were actually attacked via this method or not.
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3696
Merit: 6686


Crypto Swap Exchange


View Profile WWW
June 20, 2019, 08:31:16 PM
 #5
They released 67.0.4 today. So even if you updated yesterday, you get to do it again today.

-Dave
█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████		▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF (OP)
Legendary
*
Offline Offline

Activity: 3696
Merit: 6686


Crypto Swap Exchange


View Profile WWW
June 20, 2019, 08:33:01 PM
 #6
Quote from: o_e_l_e_o on June 19, 2019, 07:49:40 PM
The bug was initially reported by the Coinbase Security Team, but they haven't yet said whether they were actually attacked via this method or not.

They were but attacked, but according to the article the attack was not successful.

https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/

-Dave
█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████		▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > Another FireFox vulnerability that can hit WebWallets (update 20-June)
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!