CERT-In warns about bugs in Firefox browser

Advertisement

CERT-In, which comes under the IT Ministry, advised users to update to the latest Mozilla Firefox versions…reports Asian Lite News

After warning users about bugs in Google Chrome for desktop, the Indian Computer Emergency Response Team (CERT-In) has now cautioned against multiple vulnerabilities in Mozilla Firefox products that can let hackers compromise devices and systems.

The bugs in Mozilla Firefox browser could allow a remote attacker to bypass security restrictions, execute arbitrary code and cause denial of service attack on the targeted system, CERT-In said in its latest advisory.

“These vulnerabilities exist in Mozilla Firefox due to abuse of XSLT error handling, cross-origin iframe referencing an XSLT document… that results in a use-after-free error and memory safety bugs within the browser engine,” explained the cyber agency.

A remote attacker could exploit these vulnerabilities by convincing a victim to open a specially-crafted web request.

CERT-In, which comes under the IT Ministry, advised users to update to the latest Mozilla Firefox versions.

CERT-In also found a vulnerability in open source coding platform Drupal which could allow an attacker to bypass security restrictions on the targeted system.

“Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions (leak valid payment details and accept invalid payment details) on the targeted system,” it warned.

Last week, the cyber agency had warned users about multiple vulnerabilities in Google Chrome for desktop that could let threat actors gain access to their computers.

Cert-In warns of personal info leak

Personal information such as name, gender, email address and phone numbers of some Akasa Air passengers has been leaked to “unauthorised individuals”, the airline stated on Sunday. India’s newest carrier said it self-reported this incident to Indian Computer Emergency Response Team CERT-In, which is the government-authorised nodal agency tasked to deal with matters of this nature.

However, Akasa Air asserted that there was no “intentional hacking attempt, but that the situation was reported by a research expert through a journalist for which we are grateful”. The cyber security researcher concerned was Mumbai-based Ashutosh Barot, who works as Deputy Manager at a top international consulting firm.

Barot said he found the leak during his free time on August 7, the day Akasa Air operated its first commercial flight. He said he attempted to get in touch with Akasa Air on the next day itself, by sending a direct message on Twitter.

“The airline gave me its generic email ID. I told them to get me in touch with the security in-charge as the matter concerns leakage of sensitive information of users of the airline’s website,” he noted.

After receiving no response from the airline, Barot told a journalist, who then got in touch with Akasa Air.

“The airline was then informed in detail about the vulnerability on their website at around August 17. Akasa Air resolved the issue around 4-5 days back,” Barot said.

On August 7, Akasa Air had launched commercial flight operations with its first service on the Mumbai-Ahmedabad route, via the B737 Max aircraft. On Saturday and Sunday, the airline sent emails to passengers — who had submitted their details on its website while booking tickets — to inform them about the leak.

“A temporary technical configuration error related to our login and sign-up service was reported on August 25. As a result, some Akasa Air registered user information limited to names, gender, email addresses and phone numbers may have been viewed by unauthorised individuals,” the airline’s email noted.

Besides the above details, no travel-related information, travel records or payment information was compromised, it clarified.

“On being made aware of the incident, we immediately stopped this unauthorised access by completely shutting down the associated functional elements of our system. After having added additional controls to address this situation, we have resumed our login and sign-up services,” it mentioned.

The airline — which plans to operate 150 weekly flights by the end of September — said it has undertaken additional reviews to ensure that the security of all its systems is enhanced further.

“We wanted to make you aware of this situation and urge you to be vigilant against possible phishing attempts, since your information may have been accessed as a result of this incident,” it told passengers.

The airline’s key investor Rakesh Jhunjhunwala passed away on August 14. Three days later, its chief executive officer (CEO) Vinay Dube said the carrier is well-capitalised and has financial means to place an order for more planes.

In November last year, Akasa Air had ordered 72 B737 Max planes from Boeing. The US-based aircraft manufacturer has delivered three of the 72 planes till date.

In a statement to media on Sunday evening, the airline’s Chief Information Officer Anand Srinivasan said Akasa Air will “continue to maintain” its “robust” security protocols and wherever applicable, it will engage with partners, researchers and security experts to strengthen its systems.

ALSO READ-Govt not cooperating on Pegasus probe, panel tells SC

[mc4wp_form id=""]