All the comments thus far have focused on the un/reasonableness of the vulnerability, plus some potshots at FF.
I've not seen any discussion about how this exploit is targeting dev keys. I find that as a data point that we've turned the corner: The coder in this case decided to grab auth keys/passwords (with a presumably low rate of success).
As logical as it may be (without RCE, not much more they could have done with a higher rate of success), I don't think it'd have been done ten years ago.
As far as I understand with this exploit it was only possible to read files, not write to them or compromise the targets in some other way. With that in mind, it makes sense to target keys. Because the keys are an indirect way to compromise new targets.
I've not seen any discussion about how this exploit is targeting dev keys. I find that as a data point that we've turned the corner: The coder in this case decided to grab auth keys/passwords (with a presumably low rate of success).
As logical as it may be (without RCE, not much more they could have done with a higher rate of success), I don't think it'd have been done ten years ago.
Fascinating.