
Firefox zero-day was used in attack against Coinbase employees, not its users - ga-vu
https://www.zdnet.com/article/firefox-zero-day-was-used-in-attack-against-coinbase-employees-not-its-users/
======
ga-vu
Article poses a good question. How did a privately reported zero-day leak from
Bugzilla into an attacker's arsenal?

Also, why did it take 2 months to fix an RCE? It's an RCE, not some XSS. I'd
imagine this would be a high-priority. No?

~~~
jessaustin
TFA's first answer is the most likely. If one researcher discovers a
vulnerability, another researcher can also discover it. No "leak" required.

I agree that RCE should be a priority!

~~~
Scaevolus
I'm betting on insider access. Microsoft had to lock down internal access to
their security bugs when some employees were selling the bugs on the black
market.

~~~
garren
Do you have a source for that? Google's not giving me anything. I'd definitely
like to know more - I can't help but wonder how widespread that kind of
behavior is.

~~~
dboreham
Locking security bugs from wide internal read access has been SOP everywhere
I've worked for decades.

~~~
laughinghan
I think they're asking for a source on the specific claim about Microsoft
employees selling bugs on the black market, which is what I would also like to
see.

I don't need to be convinced that security bugs should be on a need-to-know
basis during the responsible disclosure period, that seems obviously prudent.
Anyone not working specifically on security can learn about the details at the
same time as the wider public.

------
docker_up
A good example of why HTML emails need to be downgraded to plain text in
financial companies, and links stripped and checked before it's shown.

~~~
inetknght
Now if only every company and their mother would stop using third parties for
links.

I don't care if you track that I clicked on your link. I care that your link
doesn't appear to go to the same site your reply-to email would go.

~~~
tgragnato
> I care that your link doesn't appear to go to the same site your reply-to
> email would go.

From one of the last emails I read this evening: "we would like to inform you
that there is a form on our website" [me]: The form is not on your website,
only the link to it.

You're right, but it's much more simple to disallow links, people don't really
understand the difference on a website, emails are another additional
complication.

~~~
inetknght
How would you recover accounts if links weren't permitted?

~~~
tgragnato
I'm late to this, but...

1\. while developing -> send tokens for copy/paste if a user has chosen text-
only emails

2\. while administering -> institute the policy of having to ask one of the
administrators, if it happens too often you have worse problems in any case

------
camjohnson26
its Interesting how cryptocurrencies have provided an economic incentive for
exploiting zero days. It’s hard to keep an exploit a secret when there’s such
huge potential payoffs.

The level of sophistication in crypto hacking would terrify me if were a
crypto startup employee.

~~~
Aaronstotle
Speaking as someone who works for a crypto-startup, it's hardly soothing to
know that we are a gigantic target for hackers. Also have the joy of being
consistently bombarded with phishing emails pretending to be from other
employees.

~~~
minderasure
For internal funds use Multi-sig and require all signers to use hardware
wallets. As for contracts, formally verify them using KEVM and get audited by
a reputable cybersecurity firm like Trail of Bits.

------
verroq
I am more interested in how Coinbase employees discovered the attack. I am
assuming nobody clicked the suspicious link and instead took it to a vm for
reversing and analysis. It would have been game over if the exploit was
actually executed on a non-sandboxed machine.

~~~
tedunangst
Notice unusual connections coming from one laptop, then use a second system to
click on all the links they clicked the day before?

------
aaronharnly
I’d love to know how Coinbase discovered the exploit — whether on the employee
desktops, due to unusual activity by the employee account on internal Coinbase
systems, at the company network level, by a human or robot, etc.

~~~
casper0_0
[https://twitter.com/SecurityGuyPhil/status/11414663355928698...](https://twitter.com/SecurityGuyPhil/status/1141466335592869888)

~~~
aaronharnly
Thank you! Great that they shared the IOCs and IPs associated with the attack.
That thread doesn’t really describe how they discovered it though, right?

------
nickpsecurity
They left out one other opportunity: they purchased the 0-days from a broker
or company like Zerodium. The cost might be worth it to them if there were
high, perceived odds of getting in.

~~~
tgragnato
Is it really that easy to get access to the exploits of the acquisition
program? Throw them a bunch of money and it's yours?

~~~
nickpsecurity
I'm not saying it was easy. I have no idea how those programs or the brokers
supplying them work. In this hypothetical scenario, they could be regular
customers operating within the suppliers' expectations. Alternatively, a
broker has some 0-days that the big-name companies aren't buying or not at
that price. Potentially already has them. Some other party is willing to buy
them at a nice, but reduced, price.

When I did thought experiments on it, one of the big issues for me was how to
show buyers the vulnerability without losing money from them stealing it or
deal with them claiming that they already had it in a way that minimizes risk
to all parties. It was a tricky problem. Folks selling on the side was a
potential result in some scenarios.

------
vinay_ys
Do we know how the exploit would be used? If you are accessing your mail
account in the same browser, are you at risk?

------
LUmBULtERA
Serious question, is Chrome considered to be more secure than Firefox by
cybersecurity professionals? And if so, why?

------
xtalh
Why were Coinbase employees allowed to use Mozilla Firefox?

~~~
AnaniasAnanas
A better question would be: why were Coinbase employees allowed to use any
browser with javascript enabled and outside of a VM? Qubes OS has been a thing
for quite a while.

~~~
toyg
_> why were Coinbase employees allowed to use any browser with javascript
enabled_

I don't know, maybe because they need to get work done...? Even traditional
banks allow JS.

~~~
gpm
I've worked at a large traditional bank (market cap and enterprise value are
both around 100b), they also allowed firefox as well as js, at least for
developers (I don't know what it looked like for non developers).

~~~
hackinthebochs
Of course, there generally are legal processes to leverage if money is stolen
from a bank. The cryptosphere isn't as forgiving.

------
chessturk
Have they considered rewriting it in Rust?

