Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mozilla Firefox. Show all posts

18-Year-Old Vulnerability in Firefox and Chrome Actively Exploited in Cyber Attacks

 

A security vulnerability, identified 18 years ago and known as "0.0.0.0 Day," has been discovered to allow malicious websites to bypass security measures in Google Chrome, Mozilla Firefox, and Apple Safari. This vulnerability enables these websites to interact with services on a local network, posing significant risks.

It is important to note that this vulnerability affects only Linux and macOS devices and does not impact Windows systems. On the affected devices, attackers can exploit this flaw to remotely change settings, gain unauthorized access to protected information, and, in some cases, execute remote code. Despite being reported in 2008, this issue remains unresolved in Chrome, Firefox, and Safari, although all three browsers have acknowledged the problem and are working on a fix. Researchers at Oligo Security have observed multiple threat actors exploiting this vulnerability as part of their attack strategies.

The 0.0.0.0 Day vulnerability arises from inconsistent security mechanisms across different browsers and the lack of standardization, which allows public websites to communicate with local network services using the "wildcard" IP address 0.0.0.0. Typically, this IP address represents all IP addresses on the local machine or all network interfaces on the host. It can also be used as a placeholder address in DHCP requests or interpreted as the localhost (127.0.0.1) in local networking. Malicious websites can send HTTP requests to 0.0.0.0 targeting services running on the user's local machine. Due to inconsistent security, these requests are often processed.

Existing protection mechanisms like Cross-Origin Resource Sharing (CORS) and Private Network Access (PNA) fail to prevent this risky activity, according to Oligo. Web browsers typically prevent websites from making requests to third-party sites and using the returned information to protect against malicious websites connecting to other URLs in a visitor's web browser where they may be authenticated, such as online banking portals or email servers.

Unfortunately, the risk isn't just theoretical. Oligo Security has identified several cases where the 0.0.0.0 Day vulnerability is actively exploited. One such case is the ShadowRay campaign, documented last March, targeting AI workloads running locally on developers' machines. The attack begins when a victim clicks on a link that triggers JavaScript to send an HTTP request to 'http://0[.]0[.]0[.]0:8265', typically used by Ray. 

These requests reach the local Ray cluster, leading to scenarios of arbitrary code execution, reverse shells, and configuration alterations. Another campaign targeting Selenium Grid was discovered by Wiz, where attackers use JavaScript on a public domain to send requests to 'http://0[.]0[.]0[.]0:4444.' These requests are routed to the Selenium Grid servers, enabling code execution or network reconnaissance. The "ShellTorch" vulnerability, reported by Oligo in October 2023, involves the TorchServe web panel being bound to the 0.0.0.0 IP address by default, exposing it to malicious requests.

In response to Oligo's disclosure, web browser developers are starting to take action. Google Chrome, the world's most popular web browser, plans to block access to 0.0.0.0 via a gradual rollout from version 128 to version 133. Mozilla Firefox, which does not yet implement PNA, has set the development of this feature as a high priority and has initiated temporary fixes, though no rollout dates have been provided. Apple has implemented additional IP checks on Safari and will block access to 0.0.0.0 in version 18, introduced with macOS Sequoia.

Until browser fixes are fully implemented, Oligo recommends that app developers take the following security measures:

- Implement PNA headers.
- Verify HOST headers to protect against DNS rebinding attacks.
- Do not trust localhost—add authorization, even locally.
- Use HTTPS whenever possible.
- Implement CSRF tokens, even for local apps.

Most importantly, developers should be aware that until these fixes are rolled out, it is still possible for malicious websites to route HTTP requests to internal IP addresses. This security consideration should be kept in mind when developing apps.

Why You Should Clear Your Android Browser’s Cache and Cookies



The web browsers of your Android devices, whether it's Google Chrome, Mozilla Firefox, or Samsung Internet, stores a variety of files, images, and data from the websites you visit. While this data can help load sites faster and keep you logged in, it also accumulates a lot of unnecessary information. This data buildup can potentially pose privacy risks.

Over time, your browser’s cookies and cache collect a lot of junk files. Some of this data comes from sites you’ve visited only once, while others track your browsing habits to serve targeted ads. For example, you might see frequent ads for items you viewed recently. Clearing your cache regularly helps eliminate this unnecessary data, reducing the risk of unknown data trackers lurking in your browser.

Though clearing your cache means you’ll have to log back into your favourite websites, it’s a small inconvenience compared to the benefit of protecting your privacy and freeing up storage space on your phone.

How to Clear Cookies and Cache in Google Chrome

To clear cookies and cache in Google Chrome on your Android device, tap the More button (three vertical dots) in the top right corner. Go to History and then Delete browsing data. Alternatively, you can navigate through Chrome’s Settings menu to Privacy and Security, and then Delete browsing data. You’ll have options under Basic and Advanced settings to clear browsing history, cookies and site data, and cached images and files. You can choose a time range to delete this data, ranging from the past 24 hours to all time. After selecting what you want to delete, tap Clear data.

How to Get Rid Of Unnecessary Web Files in Samsung Internet

For Samsung Internet, there are two ways to clear your cookies and cache. In the browser app, tap the Options button (three horizontal lines) in the bottom right corner, then go to Settings, and select Personal browsing data. Tap Delete browsing data to choose what you want to delete, such as browsing history, cookies, and cached images. Confirm your choices and delete.

Alternatively, you can clear data from the Settings app on your phone. Go to Settings, then Apps, and select Samsung Internet. Tap Storage, where you’ll find options to Clear cache and Clear storage. Clear cache will delete cached files immediately, while Clear storage will remove all app data, including cookies, settings, and accounts.

How to Declutter in Mozilla Firefox

In Mozilla Firefox, clearing cookies and cache is also straightforward. Tap the More button (three vertical dots) on the right of the address bar, then go to Settings and scroll down to Delete browsing data. Firefox offers options to delete open tabs, browsing history, site permissions, downloads, cookies, and cached images. Unlike Chrome, Firefox does not allow you to select a time range, but you can be specific about the types of data you want to remove.

Firefox also has a feature to automatically delete browsing data every time you quit the app. Enable this by going to Settings and selecting Delete browsing data on quit. This helps keep your browser tidy and ensures your browsing history isn’t accessible if your phone is lost or stolen.

Regularly clearing cookies and cache from your Android browser is crucial for maintaining privacy and keeping your device free from unnecessary data. Each browser—Google Chrome, Samsung Internet, and Mozilla Firefox—offers simple steps to manage and delete this data, boosting both security and performance. By following these steps, you can ensure a safer and more efficient browsing experience on your Android device.


Mozilla Firefox's Premium Dark Web Monitoring Solution

 

Mozilla, renowned for its commitment to an open and secure internet, has recently made a strategic foray into unexplored realms with the introduction of a subscription-based dark web monitoring service. This bold move signifies the organization's dedication to empowering users in the ongoing battle for online privacy, allowing them to take proactive measures to secure their personal information from the covert corners of the internet. 

The dark web, notorious for being a hub for stolen data and illicit activities, prompted Mozilla to take a pioneering stance by providing users with a tool to monitor their personal data on this clandestine platform. This new service enables users to keep a vigilant eye on the dark web, receiving real-time alerts if any traces of their personal information, from email addresses to passwords, are detected. It acts as a digital sentinel, offering a robust defense mechanism against potential cyber threats. 

Mozilla's approach to dark web monitoring is distinctive due to its unwavering commitment to user privacy. The service is designed to ensure that users' sensitive information remains shielded throughout the monitoring process, setting it apart from other solutions in the market. This emphasis on privacy aligns with Mozilla's longstanding dedication to user rights and transparency. 

While the concept of dark web monitoring isn't entirely new, Mozilla's entry adds an extra layer of trust and credibility to the landscape. Given its track record in advocating for user rights and a secure online environment, the organization brings a sense of reliability to this evolving sector. The subscription-based model not only makes the service accessible to a broader audience but also positions it as a valuable tool for individuals looking to proactively protect their digital identities without incurring exorbitant costs. 

However, as with any innovative move, there are critics raising questions about the broader responsibility of tech companies in ensuring user safety. Some argue that features like dark web monitoring should be inherent in basic services rather than being monetized as an additional layer of protection. In response, Mozilla asserts that the subscription fee is crucial for sustaining ongoing monitoring efforts and upholding the service's integrity. 

Mozilla's venture into dark web monitoring represents a significant step towards empowering users to navigate the intricate landscape of online security. As the digital realm continues to evolve, the importance of proactive measures to counter cyber threats becomes increasingly evident. Mozilla's privacy-centric service, though met with scepticism by some, has the potential to redefine how users approach safeguarding their personal data in the enigmatic realm of the dark web. It not only adds a layer of security but also reinforces Mozilla's commitment to creating a safer and more secure online experience for all users.

Patches for Firefox Updates in an Emergency Two Zero-Day Vulnerabilities 

 

Mozilla released an emergency security upgrade for Firefox over the weekend to address two zero-day flaws which have been exploited in attacks. The two security holes, identified as CVE-2022-26485 and CVE-2022-26486 graded "critical severity," are use-after-free issues detected and reported by security researchers using Qihoo 360 ATA. 

WebGPU is a web API that uses a machine's graphics processing unit to support multimedia on web pages (GPU). It is used for a variety of tasks, including gaming, video conferencing, and 3D modeling. 

Both zero-day flaws are "use-after-free" problems, in which a program attempts to use memory that has already been cleared. When threat actors take advantage of this type of flaw, it can cause the program to crash while also allowing commands to be executed without permission on the device.

According to Mozilla, "an unanticipated event in the WebGPU IPC infrastructure could escalate to a use-after-free and vulnerable sandbox escape." 

Mozilla has patched the following zero-day vulnerabilities: 

  • Use-after-free in XSLT parameter processing - CVE-2022-26485 During processing, removing an XSLT argument could have resulted in an exploitable use-after-free. There have been reports of cyberattacks in the wild taking advantage of this weakness. 
  • Use-after-free in the WebGPU IPC Framework - CVE-2022-26486 A use-after-free and exploit sandbox escape could be enabled by an unexpected event in the WebGPU IPC framework. There have been reports of attacks in the wild that take advantage of this weakness. 
Since these issues are of extreme concern and are being actively exploited, it is strongly advised to all Firefox users that they upgrade their browsers right away. By heading to the Firefox menu > Help > About Firefox, users can manually check for new updates. Firefox will then look for and install the most recent update, prompting you to restart your browser.

Malicious Add-Ons Blocked by Mozilla Firefox

 

The Mozilla Firefox team recently restricted add-ons that have been misusing the proxy API, preventing approximately 455,000 users from upgrading their browsers. 

Mozilla's development team members Rachel Tublitz and Stuart Colville claimed in a Monday post that they had found the rogue add-ons in early June. The add-ons were exploiting the proxy API, that is used by APIs to manage how Firefox connects to the internet. 

Add-ons are advanced software pieces that may be installed to Firefox or other programs to personalize the browser by performing things like limiting tracking, removing advertisements, downloading movies from websites, or translating information. 

However, from the other extreme, they may be malicious tiny creatures that install malware, such as the 28 Facebook, Vimeo, Instagram, as well as other add-ons discovered by experts last year in widely utilized Google and Microsoft browsers. The add-ons stole private data, seemed to have the capacity to activate more malware downloads, and altered links that victims clicked on to send them to phishing sites and advertisements. 

The Firefox team stated that the problematic Firefox add-ons discovered in June, dubbed Bypass and Bypass XM, were intercepting and redirecting users from downloading updates, accessing updated blocklists, and upgrading remotely set material. Mozilla has banned the rogue add-ons from being downloaded by more users. 

According to a blog post, Mozilla is now accepting new applications. The document also includes suggested parameters for Firefox add-on developers to assist accelerate add-on evaluation. 

Mozilla has also altered how well the browser handles key queries such as update requests. Beginning with Firefox 91.1, if an essential demand is performed through a proxy configuration that fails, Firefox will fall back on direct connections. 

“Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users,” the Firefox developers said. 

To prevent such fraudulent add-ons, the team had installed a system add-on called Proxy Failover (ID: proxy-failover@mozilla.com). System add-ons — a means to ship Firefox extensions – are hidden, cannot be disabled, and may be updated without restarting the browser. According to Mozilla, Proxy Failover is now available in both current and older Firefox versions. 

Anyone who isn't using the newest version and hasn't disabled updates should check to see if they've been impacted by the malicious add-ons, according to Mozilla. The very first step is to attempt an upgrade of Firefox: Recent versions have an upgraded blocklist that removes harmful add-ons automatically.

Mozilla: Maximum Breached Accounts had Superhero and Disney Princes Names as Passwords

 

The passwords that we make for our accounts are very similar to a house key used to lock the house. The password protects the online home (account) of personal information, thus possessing an extremely strong password is just like employing a superhero in a battle of heroes and villains. 

However, according to a new blog post by Mozilla, superhero-themed passwords are progressively popping up in data breaches. Though it may sound absurd - following the research done by Mozilla using the data from haveibeenpwned.com, it was evident that most frequent passwords discovered in data breaches were created on either the names of superheroes or Disney princesses. Such obvious passwords make it easier for hackers to attack and hijack any account or system. 

While analyzing the data it was seen that 368,397 breaches included Superman, 226,327 breaches included Batman, and 160,030 breaches had Spider-Man as their passwords. Further, thousands of breaches featured Wolverine and Ironman as well. And not only this research from 2019 showed that 192,023 breached included Jasmine and 49,763 breached included Aurora as their password.

There were 484,4765 breached that had password as ‘princess’ and some Disney + accounts had password as ‘Disney’. This is one of the biggest reasons that support data breaches by hackers and boost their confidence.

With the increasing frequency of compromised account credentials on the dark web, a growing number of businesses are turning to password-less solutions. Microsoft has expanded its password-less sign-in option from Azure Active Directory (AAD) commercial clients to use Microsoft accounts on Windows 10 and Windows 11 PCs. 

Almost all of Microsoft's employees are passwordless, according to Vasu Jakkal, corporate vice president of the Microsoft Security, Compliance, Identity, and Management group.

"We use Windows Hello and biometrics. Microsoft already has 200 million passwords fewer customers across consumer and enterprise," Jakkal said. "We are going completely passwordless for Microsoft accounts. So you don't need a password at all," he further added. 

Though it's common to reuse passwords, it is highly dangerous, yet it's all too frequently because it's simple and people aren't aware of the consequences. Credential stuffing exploits take advantage of repeated passwords by automating login attempts targeting systems utilizing well-known email addresses and password pairings. One must keep changing their passwords from time to time and try to create a strong yet not so obvious password.

Total Cookie Protection Launched in The New Upgrade of Firefox

 

Mozilla's latest Firefox 86 has been rolled -out for desktop, Mac, Windows, and Linux platforms. The browser upgrade brings features like multiple image mode and video replay, backward and forward buttons. Total Cookie Protection has been integrated into the Strict Enhanced Tracking Protection (ETP) platform, which has been revealed on Tuesday with the launch of Firefox 86. Complete cookie protections were referred to as 'huge advance' in containing cookies that are placed into new 'cookie jars' by websites. 

Cookies are text files containing tiny pieces of information by which the computer can be detected. While intended to enhance the viewing experience on the website, it could also be used, despite any permission, to track online activities. Google now plans to destroy third-party cookies as part of its Sandbox privacy project on its Chrome web browser, an effort that aims to allow personal ads while restricting data detection. 

Mozilla uses the 'cookie jar' example to explain the current blocker, whereby each third-party that drops a cookie in the browser has all the collected knowledge limited to its own cookie jar. This stops trackers from monitoring the activities from site to site. In its battle to protect the privacy of people while accessing the internet, Mozilla's Total Cookie Protection is the most recent maneuver. Total cookie protection adds up to current Firefox attempts to prevent websites and online publicity providers from making a profile of one’s web history through using internet cookies as well as other computer scripts. 

“Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website,” Mozilla wrote in a blog post. 

The company wants to silo off each because the cookie data is exchanged on the pages. Online advertisers can then understand what websites users want to access so that they can try and send relevant ads. 

“In combining Total Cookie Protection with last month’s super cookie protections, Firefox is now armed with very strong, comprehensive protection against cookie tracking,” the company said. 

The Total Cookie Protection also provides an exception for non-tracking cookie-related scripts such as third-party login or password plugins.

The potential solution should therefore help avoid the breakdown of a website. Mozilla has taken a page in the "first party isolation" of Tor browser to develop total cookie protection, which also requires cookies to be segregated into the website domain.

Mozilla Firefox Disabling Backspace Key to Prevent Data Loss

Mozilla Firefox is about to disable the browser's backspace key to help users avoid data loss. 

In 2014, Google Chrome and Microsoft Edge have already removed the ability to go back to a previous page by using the backspace key as there were possibilities of losing data entered into forms on the current page. Those who are using Google Chrome have to download an extension to use this again, whereas Microsoft Edge had offered a flag for its users to re-active it. In the same way, Mozilla Firefox is also offering its users the option to re-activate the backspace key if they wish to do so. 

"Would be useful to determine how commonly backspace is used as a "back" action shortcut, so we can figure out if we need to tweak the UX somehow to avoid accidental loss of form data due to mistyping the backspace key," Google Chrome developers stated in a 2014 bug post. 

According to the sources, seven years ago, Mozilla Firefox had set up the committee and reviewed the bug post: whether the backspace key should be disabled or not. Finally, the committee had decided not to change anything at that time. Around six years later, Mozilla finally came to the point where it has decided to remove the backspace key after realizing that except for Mozilla and Internet Explorer 11, no browsers support this keyboard shortcut. 

"To prevent user data loss when filling out forms, the Backspace key as a navigation shortcut for "Go back one page" is now disabled. To re-enable the Backspace keyboard shortcut, you can change the about: config preference browser.backspace_action to 0. You can also use the recommended Alt + Left arrow (Command + Left arrow on Mac) shortcut instead," Firefox Release Manager Pascal Chevrel added to the Firefox Nightly 86.0a1 release notes. 

According to TechDows, the first who reported about this change which is now available live on the Firefox browser for users to test and know. 
Further information is for those users who want to continue using the backspace key, you will be able to re-enable this key just follow these steps: 

1. Enter about: config in the Firefox address bar. 
2. Search for browser.backspace_action and change its value to '0'. 

Once the setting is configured, you will be able to use the backspace key to go back to the previous page in Mozilla Firefox.

Firefox expected to release a fix for their "Camera active after phone locks" bug this October


A bug in Mozilla Firefox enabled websites to keep the smartphone camera active even after leaving the browser or locking the phone. The company is working on fixing the bug and are planning to release the fix around October this year.


The bug was first reported by Appear TV, a video delivery platform last year in July. The bug activates when a user opens a video streaming app from their Mozilla Firefox browser in their Android smartphone.

It was first noticed by Appear TV when the video kept playing in the background even when it should have stopped that is the video kept playing in the background even when the user moved out of the browser or pushed it to the background or locked the phone. This raised concerns over user's privacy and bandwidth loss. "From our analysis, a website is allowed to retain access to your camera or microphone whilst you're using other apps, or even if the phone is locked," said a privacy app, Traced in talks with ZDNet. "While there are times you might want the microphone or video to keep working in the background, your camera should never record you when your phone is locked".

On Fixing the Issue

 "As is the case with dedicated conferencing apps, we provide a system notification that lets people know when a website within Firefox is accessing the camera or microphone, but recognize that we can do better, especially since this gets hidden when the screen is locked," a Mozilla spokesperson said in a statement.

"This bug [fix] aims to address this by defaulting to audio-only when the screen is locked," Mozilla added. "[The fix] is scheduled for release at the platform-level this October, and for consumers shortly after."

Mozilla has been working on a next-generation browser Firefox Nightly with more focus on privacy to replace their current browser for Android. The update is out for testing.

"Meanwhile, our next-generation browser for Android, now available for testing as Firefox Nightly, already has a prominent notification for when sites access this hardware as well," said Mozilla.