Information Technology

Peloton has refuted claims made in an “urgent” US safety advisory warning of the risk to children caused by the Tread+. 

The Peloton Tread+, a treadmill that includes Internet and Bluetooth connectivity, a built-in soundbar, and display, is a product offered by Peloton designed to link to real-time exercise classes for users over 16 years of age. On April 17, the US Consumer Product Safety Commission (CPSC) released a video showing two children playing on a Tread+, one of which became temporarily trapped.  The CPSC then published a public health and safety notice to US consumers, urging users with children to “stop using the product immediately.” According to the US agency, the Peloton Tread+ has been linked to 39 incidents involving children and pets, with potential risks including abrasions and fractures. The death of a child has been recorded.  The commission has launched an investigation into the fatality, which was disclosed by Peloton in March. At the time, in a letter to users, Peloton CEO and co-founder John Foley said the company designs and builds products “with safety in mind,” but urged users to “keep children and pets away from Peloton exercise equipment at all times.” Separately, a three-year-old boy suffered head and neck injuries after becoming trapped under a Tread+, leading to what the CPSC calls “significant brain injury.”

“Peloton was shocked and devastated to learn in March that a child died while using the Tread+,” Peloton said. “Within a day of learning this news, Peloton notified CPSC. While preparing its report to CPSC, Peloton learned through a doctor’s report to CPSC’s public database that a child had experienced a brain injury. Peloton spoke to the family who reported that and the child is expected to fully recover.” “In light of multiple reports of children becoming entrapped, pinned, and pulled under the rear roller of the product, CPSC urges consumers with children at home to stop using the product immediately,” the agency warned.  According to the CPSC, one safety incident may have occurred when a parent was using the treadmill, and it may be that “the hazard cannot be avoided simply by locking the device when not in use.”  The US agency recommends that consumers should keep their Tread+ in a locked room and other objects, such as exercise balls, should be kept well away. In response to the alert, Peloton issued its own statement branding the advisory as “misleading” and “inaccurate.” “There is no reason to stop using the Tread+, as long as all warnings and safety instructions are followed,” the company said. “Children under 16 should never use the Tread+, and members should keep children, pets, and objects away from the Tread+ at all times.”   Peloton has also asked users to detach the Safety Key when the treadmill is not in use, as this would prevent the Tread+ from being inadvertently turned on, “precisely to avoid the kind of incident that [the CPSC’s] video depicts.” Furthermore, Peloton claims that the company was willing to make a joint statement with CPSC concerning the safety worries, but the agency “unfairly characterized Peloton’s efforts to collaborate and to correct inaccuracies in CPSC’s press release as an attempt to delay.” In a follow-up note, Peloton’s CEO said there was no obstruction to the investigation, with the exception of the agency’s demands for personal data from customers that requested this information was withheld. “Peloton is disappointed that, despite its offers of collaboration, and despite the fact that the Tread+ complies with all applicable safety standards, CPSC was unwilling to engage in any meaningful discussions with Peloton before issuing its inaccurate and misleading press release,” Peloton added.  Foley says the company has “no intention” of recalling or stopping sales of the Tread+.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Last week the US Department of Justice revealed how the FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cybersecurity. Earlier this year, four zero-day vulnerabilities in Microsoft Exchange Server, which were being actively exploited by a nation-state-backed hacking operation, were uncovered. Microsoft released a critical security update to protect Exchange Server customers from cyberattacks exploiting the vulnerabilities in March, but a significant number of organisations have yet to apply the security patch.

Exchange attacks

This leaves them vulnerable to cyberattacks from a range of online attackers including nation-state groups, ransomware gangs, cryptojackers and other cyber-criminal groups that have rushed to exploit the Exchange vulnerabilities. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The attackers exploit the vulnerabilities to place web shells – scripts and codes that enable remote administration privileges – that allow continuing unauthorised backdoor access for cyber espionage and other malicious activity. It was these web shells that the FBI launched an operation to remove. Hundreds of unmitigated web shells have been identified and removed from hundreds of systems – to such an extent that the Department of Justice says it has removed one hacking group’s remaining web shells entirely. “This operation is an example of the FBI’s commitment to combating cyber threats through our enduring federal and private sector partnerships,” said Tonya Ugoretz, acting assistant director of the FBI’s cyber division.

“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” she added. Action was taken because of the threat the web shells posed to the organisations. The FBI says it’s attempting to provide notice to all of the organisations from which it has removed web shells, which means that the agency accessed the systems without their knowledge. Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement. “The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK,” says David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and co-founder and CEO of ForAllSecure, a cybersecurity company. “While I understand the good intention – the FBI wants to remove the backdoor – this sets a dangerous precedent where law enforcement is given broad permission to access private servers.” In this case, accessing the networks was deemed appropriate by the courts in order to remove backdoors planted by malicious hackers and to protect the organisations from cyberattacks – but Brumley fears what he described as a “slippery slope”. “We don’t want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn’t locked, and then using that as a pretext to enter,” he says. But there are also those who believe that the FBI’s actions in entering networks and removing web shells from compromised Microsoft Exchange servers was the right thing to do, especially when organisations are fighting a cyber battle against attackers that are much more highly resourced than they are. “I believe this involvement by the FBI is seen as much appreciated from the private sector when it comes to protecting against nation-state attacks. Right now it is as if the private sector is fighting these nation-state attacks with one hand tied behind our backs, especially when our adversaries are pulling no punches,” says Troy Gill, threat hunter and manager at security company Zix. “We will continue to see more government involved when it comes to mitigating vulnerabilities.” Other security agencies are helping organisations secure their networks against the Microsoft Exchange vulnerabilities – but not by accessing the network without anyone knowing about it first. For example, the UK’s National Cyber Security Centre (NCSC) has helped removed malware related to Exchange zero-days from over 2,300 Windows machines. This was done in partnership with the affected organisations; and the NCSC doesn’t have the powers to enter the networks of private businesses to fix vulnerabilities.

The NCSC is also actively working with organisations to help them apply the necessary security updates to protect the network from cyberattacks. And while the FBI has removed the malicious web shells, it hasn’t patched any Microsoft Exchange Server zero-day vulnerabilities or removed any additional hacking or malware tools that could’ve been placed on networks by attackers. That means that as long as they haven’t applied the patches or examined the network for potentially suspicious activity, businesses that had web shells removed from their networks are still vulnerable to additional attacks – and especially if they’re still unaware that the FBI entered the network to remove the web shells in the first place. SEE: Network security policy (TechRepublic Premium) “The FBI initiative to remove web shell code from compromised Microsoft Exchange servers may be regarded as an important milestone in fighting cybercrime. However, while this operation removes attackers’ access to these vulnerable servers, it doesn’t immediately improve their security,” explains Bob Botezatu, director of threat research and reporting at Bitdefender. “The removal of the web shell does not affect the operation of additional malware that might have been planted on the server post-compromise and also does not patch the root issue, so attackers could easily re-exploit the vulnerable server and regain web shell access to it”. A joint advisory from the FBI and CISA (Cybersecurity & Infrastructure Security Agency) has urged organisations to apply the relevant security patches and other procedures to protect their networks from attacks – but until the patches are applied, the servers are still going to remain vulnerable to cyberattacks. So while entering networks with the permission of the courts allowed the FBI to remove the immediate threat of web shells, many organisations may still not know if their network was accessed by the FBI in the first place. The debate between cybersecurity, rights to access, privacy, and whether it was the right thing to do to protect vulnerable organisations against cyberattacks is going to rumble on. “Some people may be very uneasy about this and feel that a dangerous precedent has been set. Should governments really be permitted to access and manipulate corporate computer systems, even if the reasons for doing so are ostensibly altruistic?” says Brett Callow, threat analyst and Emsisoft. “That said, the action undoubtedly avoided harm as, without it, more organizations would almost certainly have been further compromised. This is really one of those cases where you can understand why something was done and see the benefits of it having been done, but nonetheless wonder whether it should’ve been done,” he adds. Whether it should have been done or not, the incident sets a precedent – and the FBI could take similar action again. “The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions,” said acting assistant director Ugoretz. Microsoft was approached for comment but a spokesperson said the company had nothing to add.

MORE ON CYBERSECURITY More

Facebook has resolved a coding issue in live video services that allowed attackers to effectively delete content without the consent of owners. 

On April 17, security researcher Ahmad Talahmeh published an advisory explaining how the vulnerability worked, together with Proof-of-Concept (PoC) code able to trigger an attack. Facebook’s live video allows users to broadcast and publish live streams, a feature that has been widely adopted not only by individuals but also by companies and organizations worldwide — especially during the time of the COVID-19 pandemic due to stay-at-home orders.  Owners can publish live streams through a page, group, and event. Once a broadcast has ended, users can implement video trimming to cut out unnecessary content from their streams, such as by scrubbing between to- and from- timestamps. Talahmeh found an issue with this feature that allowed live video to be trimmed on behalf of owners to the point of deletion, an unexpected behavior that could have ramifications for privacy and security.  The problem lies in trimming video to five milliseconds, according to the researcher.  “Trimming video to five milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it,” Talahmeh says. 

After obtaining the target live video’s ID and current user ID, code containing a packaged request for a video to be trimmed can be submitted that removes the video. Talahmeh reported his findings to the social media giant on September 25, 2020. The issue was triaged within two hours and a patch was confirmed by Facebook three days later. A bug bounty of $11,000 was issued via BountyCon 2020 and two additional bounties, $1150 and $2300, were later awarded by Facebook. The bug bounty researcher has separately detailed a way to untrim any live video on the platform, a bug bounty report worth $2875. In addition, a further security issue surrounding Facebook business pages and updates informing customers of any changes prompted by COVID-19 — such as alterations to opening times, deliveries, or access to physical outlets — was found by Talahmeh.The “Coronavirus (COVID-19) Update From {page name}” system could be updated with analyst permissions — that are normally read-only — and this report earned Talahmeh $750.  ZDNet has reached out to Facebook and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adopting a zero trust security strategy can better safeguard organisations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. In this second piece of a two-part feature, ZDNet looks at how businesses in Asia-Pacific can establish basic cyber hygiene as well as better data management to combat attacks from across their supply chain. There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches.Just last month, personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). Earlier this year, personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches.

Acronis CEO Serguei Beloussov believed third-party attacks such as those involving Accellion and SIA could have been prevented with a zero trust architecture. He dismissed suggestions that supply chain attacks could be mitigated through a network of trusted suppliers. Noting that few of them imposed strict access, Beloussov said every supplier had employees and it took just one “untrusted” source to breach a network. Humans made mistakes and this had always been the primary challenge, he said, noting that employees would forget to follow procedures or circumvented these to make their job easier. “Zero trust isn’t just about not trusting [anyone], it’s about personal [cyber] hygiene,” said Beloussov, who likened it to not sharing toothbrushes even with one’s spouse. “Unless you have some proper measures [in place], you’ll be more often sick if you shared toothbrush.”

Security policies also should be implemented, and adhered to, with regards to how supply chains were protected, he said. Regular checks as well as vulnerability assessment and penetration testing should be carried out, he noted, stressing the need to monitor and control all suppliers. Acronis’ chief information security officer (CISO) Kevin Reed said organisations needed to know who and what were accessing their data. This meant they would have to consistently assess their partners’ trust level, and not just at the start of their business relationship when a new contract was inked, he said. “Three months after [the beginning of the partnership], they might suffer an attack and their trust level would decrease, but if you only evaluated at the start, you would not be able to catch this,” Reed said. “With zero trust, you need to re-evaluate all the time and preferably in real-time. This should apply to anything that touches your data.”Check Point’s research head Lotem Finkelstein added that security should always be a criterion against which products and suppliers were evaluated.Questions should be asked about security measures they had put in place and whether connections with these suppliers were secured, to limit the risks of engaging with them, Finkelstein said. Reed noted that prevention would play a key role. With the majority of security attacks today opportunistic, he said this meant that organisations would be able to thwart most attempts if they adopted preventive measures to decrease their probability of getting breached. “You’re not hacked because someone wants to hack you; you’re hacked because it was easy,” he added. “So if you have some level of hygiene, you raise the bar for attackers and it’s more expensive for them to hack you than another company.”Adopt best practices, replace old technologyBusinesses also could mitigate their risk by adopting better data management. CyberGRX’s CISO Dave Stapleton pointed to the attack on SITA, which impact on some airlines might be comparatively small due to the types of data shared. This could indicate good data protection practices such as data segmentation and categorisation, where not every piece of information was stored on one database and access to data was given only to facilitate specific functions. Stapleton also recommended adopting the zero trust approach as well as minimising the data organisations collected. “The data can’t be breached if you don’t have it, so don’t have it if you don’t need it,” he said, adding that there also should be transparency so customers knew exactly who would have access to their data. He also stressed the need for clear expectations about breach notifications, which he said should be included in any contract with organisations that stored or exchanged data. “Security needs to be baked in, rather than bolted on, and we’re not there yet as a society,” he said. “I fear we’re getting outpaced and we don’t have sophisticated defence to counter sophisticated attacks.”

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Above all, there was need to instil basic cyber hygiene, said Benjamin Ang, senior fellow of cyber homeland defence and deputy head of Centre of Excellence for National Security (CENS). Established in April 2006, CENS is a research unit of the Nanyang Technological University’s S. Rajaratnam School of International Studies and consists of local and overseas analysts specialising in national and homeland security issues. Ang suggested that there should be fundamental checks businesses were required to implement to be given, for instance, cyber insurance coverage. This would be similar to how fire insurance required owners not store flammable materials in their property, he said. “There are good practices out there, we just need to implement them,” he noted. “And it really is about people, process, and technology. I’ve seen how even the best process and technology can be easily undone by people. People have to step up. “For one, Stapleton urged software vendors to take more care in managing patches, which should be tested before they were issued. “If you release a patch for your product that doesn’t do what you purport it to do, that’s on you. It’s a disservice to your customers and that’s a problem,” he said. “Bigger enterprises also should test all patches before pushing them to production, which will ensure they don’t break other systems and validate the effectiveness of the patch”In cases such as Accellion, which involved a 20-year-old product and ineffective patches, he said both the vendor and bigger enterprise customers then should share the blame. He also would not expect large enterprises with deeper resources to use decades-old technology, especially if its manufacturer had made clear was reaching end-of-life. The onus then was on the organisation to figure out a migration plan, he said. Doing so would be much cheaper than the potential cost of having to pay ransomware should the software vulnerabilities result in a breach, he added.Beloussov put it simply: “Nothing that is old is safe. Something that was built 20 years ago can be penetrated. You have to constantly check and update the system. It’s like being in the military…[where] in a war, if you have the latest [weapon], [the opponent] would have the latest anti-radar system [to detect it], so you have to constantly upgrade your product.”Reed added that the security industry had progressed over time. With modern programming compilers and frameworks, software these days were more secured with protection already built-in by design. However, Ang noted that businesses sometimes chose to retain older software so existing production would not be disrupted. He said he still retained a copy of Windows XP because he needed to access a handful of older applications that could only run on the aged Microsoft operating system. Organisations in older industries, such as the energy sector, typically operated industrial control systems that were more than 20 years old and upgrading these could mean taking down power systems, he said. So they would end up retaining these old equipment, he added. Teo Yi Ling, senior fellow at CENS, noted that there also was corporate inertia or an issue of cost that held organisations back from replacing ageing software. Larger organisations such as Singtel also could have more red tape and, hence, employees might have less flexibility in their ability to make changes, Teo said. However, Ang noted, a lot more could be done to enable organisations to detect abnormalities or unusual activities within their network so these could be promptly resolved. Alerts should trigger and companies should have a means to isolate or shut down the system to contain the breach, he said.He added that if attackers could not be blocked from breaching the network, there should at least be processes in place to detect and mitigate its impact. “Ultimately, the safety net is being able to detect and mitigate. Legislations are great to require [organisations] to have more checks done across their supply chain, but laws have limits,” he said. Ang explained that software and IT environments were complex, with some individuals using some 20 different applications that they could not access on the corporate network, but had running on their work laptops. In such cases, enterprises must have the ability to assess these applications and ascertain who should have the authority to do so, he said. Teo further expressed frustration that, despite frequent warning and an increase in public awareness, there still were people who would not change the default password on their connected devices. “Every time there’s a breach, we’re told we need to be vigilant, but why are we not getting better at this?” she said. “We need to stop thinking [about security] in a linear way as supply chains are [complex]. All the different players, stakeholders, and companies contribute to each node that’s connected to the supply chain and entire ecosystem. Organisations need to understand how to defend it on a granular level, determine what security-by-design looks like, and build it in.”Stapleton also expressed concern that security breaches had become so commonplace that individuals were becoming desensitised and no longer cared about the need to safeguard their data.  It was also worrying that business leaders were not prioritising security at the same rate as their adversaries, he noted. He added that CISCOs needed to claim seats on the same table that carried out executive decisions, including budgeting and strategic moves. RELATED COVERAGE More

The backlash against Google’s Federated Learning of Cohorts (FLoC) has continued, with a proposal raised in WordPress Core to block the controversial alternative identifier to third-party cookies by default. The WordPress proposal would see the blogging system use its weight to thwart FLoC. “WordPress powers approximately 41% of the web — and this community can help combat racism, sexism, anti-LGBTQ+ discrimination, and discrimination against those with mental illness with four lines of code,” it states. For users that want to enable FLoC, the proposal states those users would likely be able to do so themselves, and a little more code would allow FLoC to be toggled on and off in blog settings. “When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate — and the interests of the users and visitors to those sites, is simply more compelling,” the proposal states. In order to get the block out to current users, WordPress has floated that FLoC be treated as a security problem and backported, rather than waiting until the next major release in July. “Currently, 5.8. is only scheduled for July 2021. FLoC will likely be rolling out this month,” it states.

“Furthermore, a significant number of WordPress sites only update to minor versions. By back-porting, we can protect more sites and more visitors to those sites — and amplify the impact.” FLoC has received some stinging criticism, mostly based on how it would share a summary of recent browser history with marketers, something third-party cookies could try to do, but were never guaranteed to be able to do so. “Its core design involves sharing new information with advertisers,” Chromium-based browser maker Vivaldi said last week. “You might visit a website that relates to a highly personal subject that may or may not use FLoC ads, and now every other site that you visit gets told your FLoC ID, which shows that you have visited that specific kind of site.” Vivaldi said FLoC has very serious implications for people who live in an environment where aspects of their personality are persecuted, such as their sexuality, political viewpoint, or religion. “All can become a part of your FLoC ID,” it said. “This is no longer about privacy but goes beyond. It crosses the line into personal safety. The Electronic Frontiers Foundation said the era of third-party cookies was over, and the decision was now whether to allow users to decide what information to share, or have a behavioural label attached to users that is “rich with meaning to those in the know”. “Their recent history, distilled into a few bits, is ‘democratized’ and shared with dozens of nameless actors that take part in the service of each web page,” it said. “Users begin every interaction with a confession: Here’s what I’ve been up to this week, please treat me accordingly.” Related Coverage More

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs.The new ioXt compliance program includes a ‘mobile application profile’ – a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. 

Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google’s VPN within the Google One service is one of the first to be certified against the criteria.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance.About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

The mobile app profile certification includes checks for insecure interfaces, automatic updates, secure password management, security by default, as well as an assessment of whether the software has been verified. It also considers vulnerability reporting programs and end-of-life policies. According to Davis, since the ioXt Alliance already does security checks for IoT devices, it was decided to expand coverage to apps that managed these devices.   “We’ve seen early interest from Internet of Things and virtual private network developers, however the standard is appropriate for any cloud-connected service such as social, messaging, fitness, or productivity apps,” said Davis. SEE: Google: Here’s how we’re toughening up Android securityConsumer VPNs that have been certified include Google One (which has a built-in VPN services), ExpressVPN, NordVPN, McAfee Innovations, OpenVPN for Android, Private Internet Access VPN, and VPN Private.The accreditation for VPN apps could be handy for Android owners, given that every now and then Google needs to pull malicious VPNs from the Google Play Store.   

ZDNet Recommends More

The University of Hertfordshire has suffered a devastating cyberattack that knocked out all of its IT systems, including Office 365, Teams and Zoom, local networks, Wi-Fi, email, data storage and VPN.The university reported the hit by attackers on Wednesday, resulting in the cancellation of all online classes on Thursday and Friday. 

“Shortly before 22:00 on Wednesday 14 April, the University experienced a cyber-attack which has impacted all of our systems, including those in the Cloud such as Canvas, MS Teams and Zoom,” it said in an update on its website. SEE: Network security policy (TechRepublic Premium)Due to pandemic restrictions on in-person classes, the university and most students still depend on online learning and video-conferencing apps like Zoom. The UK government has allowed some students to return to in-person teaching if they require specialist equipment, but has banned a full return until at least May 17.The university noted that the outage may impact students submitting assignments, but assured them that no student would be disadvantaged as a result.Students were allowed to attend the university so long as computer access wasn’t necessary. 

“You will not be able to access computer facilities in the LRCs, Labs or the University Wi-Fi. Remote access to specialist software and PCs is currently unavailable,” the university said.Hertfordshire’s system status page, last updated 17 hours ago, shows the extent of the disruption.SEE: Phishing: These are the most common techniques used to attack your PCIt’s not clear what kind of cyberattack the university experienced, but the National Cyber Security Centre (NCSC) last month warned of a surge in ransomware attacks on schools, colleges and universities.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said. More

Image: Mozilla
The handling of clicking on FTP links from within Firefox will soon be passed to other applications, as Mozilla will rip out Firefox’s FTP implementation. A year ago Mozilla announced its intention to shortly disable support for FTP, but it also said it would delay the move pending how the pandemic turned out. By February, FTP was disabled in Firefox’s nightly channel and it is currently also disabled in the Beta channel. For general release, FTP will be disabled in Firefox 88 released on April 19. At this point, when Firefox encounters an FTP link, it will attempt to pass it off to an external application. “Most places where an extension may pass ‘ftp’ such as filters for proxy or webRequest should not result in an error, but the APIs will no longer handle requests of those types,” Mozilla add-ons community manager Caitlin Neiman wrote in a blog post. “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” Two release cycles later in late June, Firefox 90 will have the FTP implementation removed altogether. This will also impact Firefox on Android.

“FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Related Coverage More