Firefox PDF Bug Zero Day causes Data Leak and Password Stealing

By -
Mozilla Firefox , the most widely used web browser and know to every common , has been found with a critical bug that allows data leak and password stealing .

 Hackingloops recommends you to update your Firefox browser without any delay and make sure you have firefox version 39.0.3 . 


Data theft is just what Mozilla warned about in a blog post published on 06 August 2015, when it announced a critical update for Firefox.

This bug has been known to lead to information disclosures which means that it leads to security holes that allow confidential information leakage and password stealing and even Identity theft .
However this bug is not known to cause Remote Code Execution that allows the attacker to implant a malware on your computer without getting noticed and any popups .

Firefox PDF Bug

The security hole is found in Mozilla Firefox  own built-in PDF viewer. The PDF Viewer is not implemented as a plugin or extention but is actually a client side javascript which allows the user to view the PDF within the Browser without the need of any external plugin.  This is known to be as PDF.js
The PDF viewer is implemented inside the Firefox browser as a JavaScript Program and not as a plugin and allows to view the PDF inside the browser without the need of any external plugin .
However the bug is not known to allow any RCE (Remote Code Execution)that will enable the attacker to run malicious code in the browser , and hence cannot be used to insert any Malware .
However this Javascript PDF viewer can be exploited in several ways .

How Hackers are Targetting the Firefox PDF Bug 

Firefox pdf bug can allow the FireFox Browser to load the malicious javascript from external sources and run it as if the user loaded it locally . So the attacker can use this bug to load a javascript in your browser that can be used to upload files from your computer to a remote server without any prompt or interaction from the user .
So even if the malware is not downloaded on your machine , the attacker is still able to upload files files from your machine and steal critical data from your computer .
The firefox pdf bug is also a Voilation of  Same Origin Policy
Same origin poclicy is simply states that the browser is supposed to disallow javascript from site A from accessing any data from Site B or any other site for that matter . And Clearly if the Javascript program is not allowed to access the data from any other domain ,  It surely should not be allowed to access any data from your computer .
But due to firefox pdf bug , the files from your computer are sneaked away clearly voilating the cross origin policy . According to Mozilla , Hackers have already started exploiting this bug .
So now the adverstisement you see on your favourate news site could be stealing files from your system .

Comments

Post a Comment

Popular posts from this blog

HACK EMAIL-ID,USERNAME AND PASSWORD OR ANY USER DETAILS BY USING KALI LINUX.

By -
Image
HACK EMAIL-ID,USERNAME AND PASSWORD OR ANY USER DETAILS BY USING  KALI LINUX . Today,i am going to show you how you can get email-id,username and password or any user details you want by using  KALI LINUX . STEPS FOR SETTING UP YOUR SYSTEM. Download Kali Linux from   here . Extract the contents of Kali Linux iso file which you  downloaded in step and copy it to pendrive or instead of pendrive burn the iso file in cd if you want to make a cd of it. After copying all contents to pendrive or burning the iso file in cd,reboot you system,press F8 on boot-time and select boot from pendrive if you have copied all the files in pendrive,else boot from cd-rom if you burn the iso file in cd. After selecting the boot from device,the kali installation window will open,install accordingly as per your requirement. NOTE:During installation,in mount point of selected installation drive,set mount point to  "/" . Remember the username and password while installation as this will
Read more

Port Fail Vulnerability : Critical VPN Vulnerability

By -
Image
Port Fail Vulnerability : Critical VPN Vulnerability How Port Fail Vulnerability Exposes your REAL IP on SKYPE Using Port Fail Vulnerability it’s possible to disclose the real IP of a Skype accounts you’re interested in. There are a bunch of Skype IP resolvers which can give you the VPN IP address and port number of a Skype user using only their Skype login. Then you need to use the same thing a copyright monitoring company would use — send some UDP packets to the whole internet on the exact port. It’s remarkable but Skype will send you a reply for almost any data! The nping utility from  nmap  package suits our needs very well: # nping --udp -p 13318 --data-string 'hellothere!' -c 1 serv.valdikss.org.ru Starting Nping 0.7.00 ( https://nmap.org/nping ) at 2015-12-20 19:54 MSK SENT (0.0157s) UDP 195.154.127.59:53 > 92.42.31.8:13318 ttl=64 id=10802 iplen=39  RCVD (0.0859s) UDP 185.61.149.121:4272 > 195.154.127.59:53 ttl=54 id=1534 iplen=32    Max rtt: N/A | M
Read more