Mozilla has asked Germany-based security firm Cure53 to conduct an audit of the Firefox Accounts system and researchers identified a total of 15 issues, including vulnerabilities rated critical and high severity.
Firefox Accounts, also known as FxA, is the system that allows Firefox users to access hosted services provided by Mozilla. Since the component represents Firefox’s central authentication service and it’s likely to be targeted by malicious actors, Mozilla has decided to have it tested.
Tests conducted by Cure53 researchers over a 30-day period in September and October 2016 led to the discovery of 15 issues, which includes six vulnerabilities and nine general weaknesses.
The most serious of the flaws, rated critical, could have allowed hackers to launch cross-site scripting (XSS) and scriptless attacks in an effort to phish users or to steal sensitive information. However, Mozilla pointed out that exploitation of the flaw required registering a relier, a process that is not open to the public.
One of the high severity vulnerabilities found by Cure53 could have allowed arbitrary command execution if the attacker could determine the location for the execution of an application.
The list of high severity flaws also includes another XSS bug and an encryption weakness that may be exploited to increase the efficiency of brute-force attacks. The other problems identified by researchers have been classified as having low or medium severity.
Most of the vulnerabilities have been patched and Mozilla claimed that none of them had been exploited for malicious purposes and none of them put user data at risk.
“Given the amount of the audited code and the complexity of the project, this number of findings classifies as low and translates to an overall positive result of the investigation,” Cure53 said in its report. “Despite the fact that the tests were as thorough as possible on the codebase placed in scope, only a single ‘Critical’ finding was ultimately spotted. Even though this issue was discovered early on in the test, no major design issues were identified. Ultimately, the platform was perceived as rather robust and secured against a wide range of different attacks.”
In the past months, Mozilla commissioned audits for several pieces of software through its Secure Open Source (SOS) program, including for cURL, Dovecot and the Network Time Protocol (NTP).
Related Reading: Audit Finds Only One Severe Vulnerability in OpenVPN
Related Reading: VeraCrypt Patches Vulnerabilities Following Audit
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
