from Hacker News

Coinbase: Responding to Firefox 0-days in the wild

by hi on 8/9/19, 5:48 PM with 93 comments

  • by Deimorz on 8/9/19, 6:10 PM

    This was the original article that talked about this attempt: https://robertheaton.com/2019/06/24/i-was-7-words-away-from-...

    HN discussion: https://news.ycombinator.com/item?id=20283922

  • by londons_explore on 8/9/19, 7:53 PM

    Coinbase should be hiring pentesters and giving them employee level access - even access to commit and deploy code.

    Any insider shouldn't be able to steal more than the hot wallet, and even that should be hard.

    I actually wouldn't put much effort into border security. At coinbases level of risk, evildoers will have no qualms bribing an employee to install a backdoor in their machine.

  • by ChrisCinelli on 8/9/19, 9:41 PM

    > CVE-2019–11707 was simultaneously discovered by Samuel Groß of Google’s Project Zero and the attacker.

    At least another time in the last week I read on other threads on HN or related links that vulnerability were found almost the same time by independent people.

    Here we have a researcher from Google’s Project Zero and the attacker.

    How do you explain these coincidences?

    What is the chance that some prominent researchers being targeted and their systems are actually exploited?

  • by flyGuyOnTheSly on 8/9/19, 9:23 PM

    >We collected IOCs from the host in question and started hunting broadly in our network. We did not see any of the IOCs anywhere else in our environment, and blacklisted all the IOCs that we had at that time.

    Can someone explain what they mean by IOCs?

  • by victor22 on 8/9/19, 10:27 PM

    Remember, not your keys, not your bitcoin. Stay off coinbase.

  • by anhldbk on 8/10/19, 3:02 AM

    I find this info is interesting

    > The attackers went through a qualification process and multiple rounds of emails with potential victims, making sure they were high-payoff targets before they directed victims to the page containing the exploit payload.

    It's a well-prepared plan combining social engineering and technical exploits

  • by xchaotic on 8/9/19, 9:05 PM

    This point to an actual use of the cryptocurrency - exploiting a 0 day against someone who might have a crypto wallet means you can actually directly make money off exploits. Prior to crypto, having a 0 day wasn't equal with ability to make blackhat money with it...

  • by ianhawes on 8/9/19, 8:54 PM

    Interesting to me that the attackers were well equipped in their phish and 0days, but then opted to drop fairly detectable RATs.

  • by wyldfire on 8/9/19, 7:28 PM

    This is among the critical differences between MtGox and Coinbase.

  • by dmortin on 8/9/19, 8:01 PM

    Does it a help in this case if one runs the browser in a sandbox? E.g. in docker?

    They can then break out from the browser, but only get to docker with that exploit, and it's unlikely they have a docker exploit too at hand, is it?

  • by auslander on 8/10/19, 7:23 AM

    > exploit code was delivered from a separate domain, analyticsfit[.]com

    They paid some registrar for the domain. Can police request payment details? Can someone buy domain on stolen credit card?

  • by vbezhenar on 8/9/19, 8:58 PM

    Those attacks would not work if they did not enable JavaScript on every website by default.