Attack & Defense · Hardening the Firefox Frontend with Content Security PoliciesMost of the Firefox User Interface (UI), including the address bar and the tab strip, are implemented using standard web technologies like HTML, CSS and JavaScript plus some additional custom components like XUL. One of the advantages of using web technologies for the front end is that it allows rendering the frontend using the browser engine on all desktop operating systems. However, just like many web applications are susceptible to some form of injection attack (OWASP Top Ten), Firefox’s use of web technologies for the frontend makes it no exception and hence it is vulnerable to injection attacks as well.
Recent searches
Search options
#Pwn2own
0 posts0 participants0 posts today
Hackers get $886,250 for 49 zero-days at #Pwn2Own Automotive 2025
As a hardening measure, we now block inline event handlers in the main #firefox window. Inline event handlers have previously been used to gain code execution in the parent process, for example in the #Pwn2Own contest.
I have spent the last few months removing hundreds of inline event handlers.
https://groups.google.com/a/mozilla.org/g/firefox-dev/c/lqBtoY5IJzU
groups.google.comPSA: Avoid Inline event handlers in the Firefox UI
At the recent Pwn2Own Ireland 2024 event, researchers exposed vulnerabilities in TrueNAS devices, highlighting the need for enhanced security measures. With teams earning over $1 million by exploiting these flaws, TrueNAS is urging users to harden their systems. 
Stay informed and secure! #Cybersecurity #TrueNAS #Pwn2Own #Vulnerabilities #DataProtection #newz Read more: https://www.techradar.com/pro/TrueNAS-device-vulnerabilities-exposed-during-hacking-competition
TechRadar pro · TrueNAS device vulnerabilities exposed during hacking competition
It’s kind of awesome to see #pwn2own being live-tooted on the fediverse.
We have published the 2nd writeup about the EV vulnerabilities we exploited for #Pwn2Own Automotive: the JuiceBox 40.
Despite what the @thezdi advisories say, these bugs were NOT fixed by the vendor! SiLabs has declared the product EOL and won't fix it.
https://sector7.computest.nl/post/2024-08-pwn2own-automotive-juicebox-40/
Sector 7 · Pwn2Own Automotive 2024: Hacking the JuiceBox 40During Pwn2Own Automotive 2024 in Tokyo, we demonstrated exploits against three different EV chargers: the Autel MaxiCharger (MAXI US AC W12-L-4G), the ChargePoint Home Flex and the JuiceBox 40 Smart EV Charging Station with WiFi. This is our writeup of the research that we performed on the JuiceBox 40 Smart EV Charging Station. We discovered one vulnerability which has, since the event, been assigned CVE-2024-23938. During the competition, we were able to exploit CVE-2024-23938 to execute arbitrary code on the charger while requiring only network access for practical reasons at the event. However, being within Bluetooth range of the device is sufficient with a few extra steps.
That is *way* faster than 10FD (h/t @shaver). Impressive.
#InfoSec #pwn2own
https://www.bleepingcomputer.com/news/security/mozilla-fixes-two-firefox-zero-day-bugs-exploited-at-pwn2own/
