Story image

Aura Infosec discovers major Mozilla Firefox vulnerability

10 Apr 2019

A security consultant at trans-Tasman cybersecurity consultancy, Aura Information Security, is behind the discovery of a major vulnerability in popular web browser Mozilla Firefox that had the potential to expose millions of people’s private online images and documents.

Alex Nikolova, who is based out of Aura’s Wellington office, made the discovery whilst conducting a research project on the same-origin policy of various web browsers, and immediately reported it to Mozilla, who fixed the issue within days.

Alex discovered a bug that had the potential to allow hackers to access user’s images and documents stored in image format, without being detected.

“Usually when a user visits one site, for example, mypics.example, web browsers are supposed to prevent another site, say evil.example, from being able to request information from mypics.example using the user's login session on mypics.example. This is called a "same-origin policy" and it dictates how browsers should behave when it comes to cross-site requests. 

“This bug essentially prevents this same-origin policy from working and allows attackers to easily access private images (which should be accessible only to a logged in user) on any site accessed via Firefox, e.g. Facebook, Instagram, online banking, or even government sites which may store their documents in image file format.

“The image can be anything: from a scanned document to a QR code used for two-factor authentication, and can be in any format (e.g. png, jpg, svg),” she says.

The vulnerability was apparent and exploitable in Firefox (version 65.0) and while it was also present in Google Chrome, Nikolova says that it was never exploitable in the latter, making it a medium-level threat.

Aura general manager Peter Bailey says Alex’s find is just one example of the research coming out of New Zealand and Australia.

“We’re incredibly proud of Alex, research like this is a huge part of what we do at Aura as it encourages our team to be a part of the solution – rather than simply fighting fires or responding to attacks when they’ve already occurred.

“The cybersecurity talent in New Zealand and Australia is world-class, and Alex’s find is just one example of the incredible research coming out of our small but very important corner of the world,” says Bailey.

Aura Information Security sets aside up to 20% of consultants’ time per week for research-based projects.

The company’s consultants have been asked to present research findings at leading InfoSec events all over the world.

Talking about what drives her work and her passion for the industry, Alex notes that while discoveries like this help, it’s the constant evolution of the threat landscape that really thrills her.

“I see it as a puzzle to be solved, to learn how the criminal thinks and always stay one step ahead of them. It ties my love of technical stuff and coding, together with my interest in criminal psychological profiling.

“In my job, I have to get into the attacker's shoes, try to think like them. I'm always looking forward to being presented with the open question of ‘how do you go about owning every possible aspect of that infrastructure’ every time I start a new job.”

Her final advice to all businesses is: “Patch. Keep yourself up-to-date, all the time. Vulnerabilities come out every day and those who want to exploit your data don't need longer than that.”