The 0-day vulnerability that Firefox just fixed was used to attack Coinbase employees. According to Philip Martin, a member of Coinbase security team, the attacker combination exploited two 0day vulnerabilities, one of which was a remote code execution vulnerability, and the other was a sandbox escape vulnerability.
The remote code execution vulnerability was discovered by Samuel Groß, a researcher at the Google Project Zero security team who said he reported the vulnerability to Mozilla on April 15.
“We walked back the entire attack, recovered and reported the 0-day to Firefox, pulled apart the malware and [infrastructure] used in the attack, and are working with various orgs to continue burning down [the] attacker’s infrastructure and digging into the attacker involved. We’ve seen no evidence of exploitation targeting customers,” Martin said.
It’s unclear exactly where the attacker learned the details of the vulnerability. It may be an independent discovery, or it may be obtained from an insider, or it may be an invasion of a Mozilla employee account. Attacks against Coinbase may be used to steal funds from the exchange if successful, and Martin said there is no evidence that the exploit is for Coinbase customers.