Firefox browser hacked in 8 seconds using 2 critical security flaws

With Windows 11, Microsoft Teams, Ubuntu Desktop and the Tesla Model 3 all falling victim to hacks in a week, you could be forgiven for not noticing that Mozilla Firefox got hacked too. In just eight seconds using two critical security vulnerabilities.

Who hacked the Mozilla Firefox browser in just eight seconds?

The hacker in question was the most talented manfred paul who achieved the lightning-fast double exploit using two critical vulnerabilities during the PWN2OWN Vancouver, 2022 event, which ended on Friday, May 20.

Manfred Paul was fourth on stage during the opening session of PWWN2OWN on Wednesday, May 18. His incredibly fast, two-headed, zero-day hack earned him a total of $100,000 in bounty from the event organizers. Later the same day, he won another $50,000 for a successful zero-day exploit on the Apple Safari browser.

MORE FORBESiOS 15.5-Apple releases iPhone security update for millions of users

What were the two critical vulnerabilities used?

Full technical details regarding the successful hack were immediately leaked to the Mozilla Foundation. In a security advisory dated May 20, the vulnerabilities, both classified as having a critical impact, were described as follows:

CVE-2022-1802

A “prototype pollution in the Top-Level Await implementation” could allow an attacker who corrupted an Array object in JavaScript to execute code in a privileged context.

CVE-2022-1529

An “untrusted input used in JavaScript object indexing, resulting in prototype pollution”, which could allow an attacker to send “a message to the parent process where content was used for double indexing in an object JavaScript”. This, in turn, led to the pollution prototype described in the first exploit example.

What should Firefox browser users do?

In most cases, the answer will be nothing. This in no way minimizes the seriousness of these critical vulnerabilities or the zero-day exploit that Manfred Paul was able to demonstrate to PWN2OWN.

On the contrary, it “plays” the fact that the Mozilla Foundation reacted very quickly to the disclosure and has already released an emergency update for Firefox that fixes the flaws. Since Firefox will update automatically by default, and will even update in the background when the browser isn’t open, it should already be applied and fixed for most users.

If you leave your browser running without restarting or have disabled automatic updates for any reason, you will not be protected until the patch has been downloaded, installed, and the browser restarted. For desktop users, that means heading to the hamburger menu in the top right, then Help | About Firefox.

The corrected and updated version numbers you are looking for are:

  • Firefox v100.0.2 for desktop users
  • Firefox v100.3.0 for Android users
  • Firefox v91.9.1 for Enterprise ‘Extended Support Release’ users

A quick check of the iOS app status shows that it hasn’t been updated since before the PWN2OWN event and is currently at v100.1 (9384) at least on my iPhone 13 Pro . I’ve reached out to ask if an iOS update is yet to come or if the exploit doesn’t apply on this platform and will update the article when I know more.

Leave a Comment