Search This Blog

Showing posts with label Mozilla. Show all posts

Apple Engineers to Standardize the Format of the SMS Messages Containing OTPs


A proposal comes from Apple engineers working at WebKit, the core component of the Safari web browser, to institutionalize the format of the SMS messages containing one-time passwords (OTP) that users receive during the two-factor authentication (2FA) login process.

 With 2 basic goals, the proposal aims initially is to introduce a way that OTP SMS messages can be associated with a URL, which is essentially done by adding the login URL inside the SMS itself.

And the second being to institutionalize the format of 2FA/OTP SMS messages, so browsers and other mobile applications can undoubtedly distinguish the approaching SMS, perceive web domain inside the message, and afterward consequently extract the OTP code and complete the login operation moving forward without any further user interaction.

According to the new proposal, the new SMS format for OTP codes would look like below:

747723 is your WEBSITE authentication code. 
@website.com #747723 

The first line, intended for human users, permits them to decide from what site the SMS OTP code originated from and the second line is for both human users as well as for applications and browsers.

 Applications and browsers will consequently extricate the OTP code and complete the 2FA login operation. In the event that there's a 'mismatch' and the auto-complete operation falls flat, human readers will have the option to see the site's original URL, and contrast it with the site they're attempting to login.

On the off chance that the two are not similar, at that point, users will be alerted that they're very a phishing site and forsake their login activity.

When browsers will deliver components for reading SMS OTP codes in the new format, significant providers of SMS OTP codes are required to switch to utilizing it. Starting now, Twilio has already communicated its enthusiasm for actualizing the new arrangement for its SMS OTP administrations. 

Presently, while Apple (WebKit) and Google (Chromium) engineers are quite energetic about the proposition, Mozilla (Firefox) has not yet given an official criticism on the standard yet.

Mozilla advices its users' to update their web browser to fix critical vulnerability






Mozilla has issued a warning to its users and asked them to upgrade their web browser Firefox, after company found some critical vulnerabilities.

The company has issued an advisory on Tuesday, 18 June, 2019, it includes a details about security vulnerabilities that have been fixed in Firefox 67.0.3 and Firefox ESR 60.7.1.

 The advisory detailed flaws stating, “A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.”

It further read “We are aware of targeted attacks in the wild abusing this flaw.” The company has marked the update as ‘critical’. 

According to reports, the bug is classified as critical because  it allows outside users to remotely execute code on your machine without your permission.


The bug was spotted for the first time by Samuel Groß, who is reportedly a security researcher with Google Project Zero and Coinbase Security.

Mozilla Fixes Actively Exploited Zero-Day Flaw with Firefox 67.0.3



Mozilla has fixed the Firefox and Firefox ESR zero-day vulnerabilities with the release of its latest versions, Firefox 67.0.3 and Firefox ESR 60.7.1. These flaws were rampantly exploited by the hackers to remotely execute arbitrary code onto the systems of the users who ran vulnerable versions of the Browser.
The zero-day flaw tracked as CVE-2019-11707 takes place when JavaScript objects are manipulated because of the issues in Array.pop; before Mozilla came up with the patch, hackers could set off the attack by misguiding users using vulnerable versions of the browser to visit a malicious web address which is designed to take control of the infected systems and consequently, execute arbitrary code onto the machines.
Referencing from the statements given by security advisory of Mozilla, the Browser developers are "aware of targeted attacks in the wild abusing this flaw" that could allow hackers who take advantage of this zero-day flaw to take over the affected machines.
As a security measure against the Firefox and Firefox ESR zero-day vulnerabilities which were reported to Mozilla by Coinbase Security team and Samuel Groß from Google Project Zero, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put forth an advise suggesting users "to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates."
Commenting on the matter, Groß tweeted, “The bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape,” 
“However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” he added. 
Mozilla has released a similar emergency patch, Firefox 50.0.2 and 45.5.1 ESR, earlier in 2016 as well. Back in 2016, the flaw was exploited by cybercriminals to de-anonymize Tor Browser users and accumulate their private data such as MAC addresses, hostnames, and IP addresses.