Tag Archive for: firefox
Firefox for Android gets critical update to block cookie-stealing hole – Naked Security
/in Computer Security
Usually, when browser updates come out, it’s obvious what to do if you’re running that browser on your laptop or desktop computer.
But we often get questions from readers (questions that we can’t always answer) wondering what to do if they’re using that browser on their mobile phone, where version numbering is often bewildering.
In the case of Firefox’s latest update we can at least partly answer that question for Android users, because the latest 88.0.1 “point release” of Mozilla’s browser lists only one security patch dubbed critical, namely CVE-2021-29953:
This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.
The bug listed here is what’s known as a Universal Cross-site Scripting (UXSS) vulnerability, which means it’s a way for attackers to access private browser data from website X while you are browsing on booby-trapped website Y.
That’s definitely not supposed to happen.
Your browser is supposed to stop data such as cookies “leaking” between websites, or else site Y could peek at data such as your login details for site X, and abuse that site-specific data to masquerade as you on site X and hijack your account.
Browsers are supposed to enforce the aptly-named Same Origin Policy, or SOP, whereby locally-saved web data is locked down so it can only be read back in later on by the same website that saved it in the first place.
This helps to maintain security and privacy by preventing websites from leeching information about each other’s users.
XSS bad, UXSS worse
One trick often used by crooks to violate the SOP is plain old Cross-site Scripting (XSS), which is the name given to any JavaScript-based privacy flaw that affects a specific website.
Imagine, for example, that I can trick your website into serving up JavaScript of my choosing, for example by sneakily embedding some JavaScript in a search link in such a way that your server erroneously reproduces my unmodified JavaScript in any replies sent back to those who click on that link.
Even though it’s my script, it came back from your server, so my code passes the…
Wormhole promises to be a better longer-living Firefox Send alternative
/in Internet Security
Wormhole is a new file sharing service that promises to be a better longer-living version of Firefox Send, a file sharing service that Mozilla discontinued some time ago. Does Wormhole live up to the promises that it makes? Let’s find out.
First, the basics: Wormhole can be used by anyone to send files with a total size of up to 10 Gigabytes. The service uses end-to-end encryption, and that means that the owners of Wormhole as well as the Internet Service Provider or network listeners, don’t know the content of the files that are shared using the service.
To use it, visit the Wormhole website and either use drag & drop to add files to the send queue or use the file/folder browser instead. Wormhole works in all modern web browsers.
You get options to copy the link to the cloud copy of the files and a share link right away, even before the actual upload has started; this is one distinguishing factor as most file sharing services display share links and options only after a successful transfer. Wormhole calls this “instant file streaming”, and recipients may start downloading files even before the upload completes.
You may copy the link to share it with others, or use the share option to use sharing options provided by the operating system. Recipients may download all files or only select files.
One interesting option that Wormhole supports is the direct sharing via WiFi or Bluetooth; these may offer faster transfer speeds as local networks are utilized when possible.
The encrypted files are stored for 24 hours in the cloud before they are deleted automatically.
The Wormhole security page reveals information about the implemented security techniques. Besides end-to-end encryption, Wormhole promises that it does not display advertisement or will load trackers. The service’s key management and other security features are outlined on the page as well.
Firefox Send did support a number of features and options that Wormhole does not support at the time of writing, including password protection of files, download limits, or different storage limits.
Wormhole does not require an account at the time of writing, has a large file size limit, and supports local area network sharing. The features could…