The vulnerabilities, exploitable by an attacker with only a browser.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password.
With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access.
Read more: gnu.gl
I solved this relatively easily by removing the protocols it uses to call home. First, of all, back up your bookmarks as a .json and use Firefox password exporter addon to backup your passwords.
Disclaimer: I'm not responsible if you mess up your FF install, but if you follow these simple instructions, you'll be fine.
1.) Type about:config in the browser's address bar and hit the enter key.
2.) Promise that you will be careful when the prompt appears lol
3.) Search for pocket.
4.) double click (or right click and use toggle option) make certain browser.pocket.enabled is set to false.
You are done, it's gone. Happy browsing.
Though it's not necessary from what I saw, I took it a step further and set all true values to false and deleted all web addresses and locales so the values are blank.
If you're willing to take it as far as I did, your screen should look like this...
the term string is what you will see after removing web addresses and locales.