Aura, a government-owned tech company, has discovered what it is calling a "very big" software flaw in the Mozilla Firefox and Google Chrome web browsers.

The bug allows a user's private photos and sensitive documents such as passports, driver licenses and other identifying content to be uploaded to websites, and to be obtained by malicious hackers.

The bug was discovered by Alex Nikolova, a security analyst based in the company's Wellington office, and at the time of discovery had affected up to one in 10 browsers worldwide, or more than 300 million users.

Nikolova first found the vulnerability in February and notified Mozilla and Google (the two companies who develop the web browsers).


Both Google and Mozilla requested Nikolova not to speak publicly about the discovery until the software bug was "patched" last month.

The bug was addressed in a security update "within days" according to Aura general manager Peter Bailey, with the latest version of Firefox (version 66) no longer exploitable.

The company says there is no evidence to suggest malicious hackers had discovered or exploited the hole in the software before the NZ-based team identified it.

To protect their computers and mobile devices against the bug, users are advised to follow their browser's software update process. However, it acknowledges this is something not all users do regularly.

"Patch. Keep yourself up-to date, all the time. Vulnerabilities come out every day and those who want to exploit your data don't need longer than that," said Nikolova.

Some companies offer bounties to hackers who report vulnerabilities in their software (Tesla recently offered up $250,000 to anyone who could hack their Model 3), however Aura says it didn't receive such a pay-out.

According to Bailey, their research is focused on pre-empting attacks on their existing client's systems.

"In our industry, you can't just stand at the gate and defend against attackers when they're already on your doorstep, you need to be able to anticipate the attacks before they happen."


Bailey says New Zealand tech companies are doing a large amount of work in the cyber security space.

"Cyber security talent in New Zealand is world class, and Alex's find is just one example of the incredible research coming out of this country."

Kordia, the government-owned broadcast and telecommunications company which handles the distribution of a number of the country's television and radio brands including TVNZ, ZM, Hauraki and The Hits, acquired security company Aura in 2015.