sb-nz logo
Story image

Aura Infosec discovers major Mozilla Firefox vulnerability

10 Apr 2019

A security consultant at trans-Tasman cybersecurity consultancy, Aura Information Security, is behind the discovery of a major vulnerability in popular web browser Mozilla Firefox that had the potential to expose millions of people’s private online images and documents.

Alex Nikolova, who is based out of Aura’s Wellington office, made the discovery whilst conducting a research project on the same-origin policy of various web browsers, and immediately reported it to Mozilla, who fixed the issue within days.

Alex discovered a bug that had the potential to allow hackers to access user’s images and documents stored in image format, without being detected.

“Usually when a user visits one site, for example, mypics.example, web browsers are supposed to prevent another site, say evil.example, from being able to request information from mypics.example using the user's login session on mypics.example. This is called a "same-origin policy" and it dictates how browsers should behave when it comes to cross-site requests. 

“This bug essentially prevents this same-origin policy from working and allows attackers to easily access private images (which should be accessible only to a logged in user) on any site accessed via Firefox, e.g. Facebook, Instagram, online banking, or even government sites which may store their documents in image file format.

“The image can be anything: from a scanned document to a QR code used for two-factor authentication, and can be in any format (e.g. png, jpg, svg),” she says.

The vulnerability was apparent and exploitable in Firefox (version 65.0) and while it was also present in Google Chrome, Nikolova says that it was never exploitable in the latter, making it a medium-level threat.

Aura general manager Peter Bailey says Alex’s find is just one example of the research coming out of New Zealand and Australia.

“We’re incredibly proud of Alex, research like this is a huge part of what we do at Aura as it encourages our team to be a part of the solution – rather than simply fighting fires or responding to attacks when they’ve already occurred.

“The cybersecurity talent in New Zealand and Australia is world-class, and Alex’s find is just one example of the incredible research coming out of our small but very important corner of the world,” says Bailey.

Aura Information Security sets aside up to 20% of consultants’ time per week for research-based projects.

The company’s consultants have been asked to present research findings at leading InfoSec events all over the world.

Talking about what drives her work and her passion for the industry, Alex notes that while discoveries like this help, it’s the constant evolution of the threat landscape that really thrills her.

“I see it as a puzzle to be solved, to learn how the criminal thinks and always stay one step ahead of them. It ties my love of technical stuff and coding, together with my interest in criminal psychological profiling.

“In my job, I have to get into the attacker's shoes, try to think like them. I'm always looking forward to being presented with the open question of ‘how do you go about owning every possible aspect of that infrastructure’ every time I start a new job.”

Her final advice to all businesses is: “Patch. Keep yourself up-to-date, all the time. Vulnerabilities come out every day and those who want to exploit your data don't need longer than that.”

Story image
IBM report: Security response improving - containing attacks, not so much
“While more organisations are taking incident response planning seriously, preparing for cyber-attacks isn’t a one and done activity."More
Story image
Gartner recognises Pulse Secure for Zero Trust Network Access solution
In the market guide, Gartner states that ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate. More
Story image
Bitglass deepens integration with MFA vendor Duo Security
Bitglass has announced a deepened integration with Duo Security, now part of Cisco, as it looks to strengthen security for the modern workforce.More
Download image
Workforce demographics and culture is changing. Management must too
The way we work is changing, and so is the make-up of the workforce. To get the best results, businesses need to take on dynamic workforce management.More
Story image
Oracle combines cloud automation with comms security in new solution
The Oracle Communications Security Shield (OCSS) Cloud is built on the company’s cloud infrastructure, and uses AI and real-time enforcement to combat the heightened risk of infrastructure attacks presented to contact centres and enterprises.More
Download image
Strengthen the weakest link in your security chain
Globalisation. Remote working. High-turnover workforces. These factors and more add up to make increasingly dynamic workforces - and without proper management, your business could fall behind.More