Hacker fools Mozilla with Firefox ‘flaw’ show

One of the hackers who demonstrated exploit code for a vulnerability in the way the Firefox browser handles Javascript at a hacker conference in San Diego admitted Tuesday that the presentation was meant to be a joke, according to the chief of security for Mozilla Corp.

Mozilla security researchers spent most of Sunday and Monday scrambling to determine if exploit code revealed during a presentation by hackers Mischa Spiegelmock and Andrew Wbeelsoi at Toorcon over the weekend could allow someone to execute malicious code through a memory corruption attack on Firefox.

However, Window Snyder, who leads Mozilla’s security team, said Spiegelmock admitted to the company that the presentation was meant to be humorous, and he and Wbeelsoi had not actually achieved remote execution with the exploit code demonstrated at the show.

“At best, in some cases it will crash only the client,” Snyder said Tuesday. “That’s all we’ve been able to verify at this point.”

Spiegelmock, who works for Six Apart Ltd., confirmed as much in his LiveJournal blog, in which he includes a link to a statement he made that is posted on Snyder’s Mozilla blog.

“The main purpose of our talk was to be humorous,” according to the statement. “As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.”

During the presentation, the hackers also said they knew of 30 other vulnerabilities in Firefox but this, too, was a joke, Snyder said Tuesday.

To hear Six Apart spokeswoman Jane Anderson tell it, the Toorcon presentation was a joke invented by two kids barely out of their teens who didn’t understand the ramifications of their actions.

“It was all a parody,” she said. Anderson added that Spiegelmock was not representing Six Apart at the show, and the company spent most of Sunday on the phone with Mozilla putting out fires and cooperating with the company to get to the bottom of the matter.

To make matters more embarrassing for Six Apart, the company’s earliest investor, Joi Ito, is on Mozilla’s board of directors.

Anderson added that Spiegelmock will not be terminated for his actions. “We all make mistakes,” she said.

Snyder and the Mozilla team also are being good sports about the ordeal.

“Of course, we always prefer that security researchers report vulnerabilities to us so we can create a patch before customers are put at risk,” she said. “But at this point he’s been very cooperative and we’re pleased he’s chosen to work with us.”

Still, Snyder said, “I know people who were working really hard here on Sunday probably have other things they’d rather be doing.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now