New Firefox Zero-Day Vulnerability Nabs Local Files and Leaves No Traces

A new Firefox exploit has been reported as already being used in the wild via aware-serving websites, enabling attackers to collect sensitive local files and upload them to an attacker-controlled server, leaving no trace of the payload’s presence.

Although the vulnerability does not involve executing arbitrary code on the local machine, it is used to “inject a JavaScript payload into the local file context.”

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” wrote Daniel Veditz on the official Mozilla blog. “Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable.”

The vulnerability does apparently affect Windows, Linux and Mac users, but not Android Firefox users. The reported incident, however, seems to only affect Windows and Linux users, although Mac fans could be targeted if the payload were to be slightly manipulated.

“On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients,” wrote Veditz. “On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.”

Those who rely on adware-blocking services to browse without ads may have been safe from the vulnerability, depending on the type of software and filters.

The issue is said to have already been fixed with the new Firefox 39.0.3 and Firefox ESR 38.1.1 versions, but users are still encouraged to change all passwords or keys found in the above-mentioned files to prevent subsequent breaches.