By CCN Markets: A vulnerability allowing for remote code execution (unauthorized use) in Firefox was exploited against Coinbase employees this past week. The vulnerability enabled an attacker to crash the browser and execute code, including installing a trojan horse backdoor. It’s unknown how long this bug operated in the wild, but accurate estimates would give it at least two weeks.
No Coinbase Users Victimized
Here is a scenario where the bug could have affected exchange users:
A user is compromised by a fake e-mail from Coinbase urging them to do something. They redirect to the payload, which installs a trojan horse. The Trojan allows the attacker to screen-watch with something like TeamViewer. The next time the user goes to the exchange, the attacker observes. If the user has 2FA installed, the attacker waits until they’re in the process of making a withdrawal, and changes the withdrawal address. Or, worse, the user does not have 2FA, and the attacker opens a duplicate browser in the background and processes a withdrawal for himself.
The author is not a malicious hacker, but he’s sure there are even more inventive ways than this to exploit the vulnerability.
Coinbase Chief Security Officer Philip Martin says that Coinbase was not the only crypto target. He also points out that his team did not find evidence of customers compromised — only employees.
1/ A little more context on the Firefox 0-day reports. On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day firefox sandbox escape, to target Coinbase employees.
— Philip Martin (@SecurityGuyPhil) June 19, 2019
According to other reporting, the skilled attackers apparently have deep experience in exploiting 0-day vulnerabilities. In at least one case, a user was targeted after visiting a cryptocurrency exchange. He received an e-mail which contained a link. The link attempted to install a backdoor on his Mac computer.
Coinbase reports no financial losses as a result of the attack. Firefox has since patched the vulnerability, but some people aren’t happy with that.
Was Binance Also Targeted?
Binance CEO Changpeng Zhao called for people to stop using Firefox:
And don’t use Firefox (or at least upgrade it to the latest one). Stay #SAFU. https://t.co/FoP5XLU3wd
— CZ Binance (@cz_binance) June 21, 2019
The CEO hasn’t disclosed whether the exchange was also a target of the malware, but presumably, it would be chief among targets alongside Coinbase.
The Firefox bug comes just as Firefox promises to rebuild itself, yet again, once again becoming the world’s fastest browser and reportedly rolling out premium services.