Mozilla has patched a security flaw that could allow cybercriminals to hijack all vulnerable Firefox for Android browsers running on devices connected to the same Wi-Fi network. The vulnerability could be abused by black hats to force users to visit websites housing malicious content, which could then be used to execute phishing attacks or to download malware to their devices.
The bug, which resided in Firefox’s Simple Service Discovery Protocol (SSDP), was uncovered by security researcher Chris Moberly and affected Firefox for Android versions of 68.11.0 and below.
ESET malware researcher Lukas Stefanko has tested a proof-of-concept (PoC) exploit that takes advantage of the security hole, running the PoC on three devices connected to the same Wi-Fi router.
“This is a serious issue that allows to trigger any Android Intent on the same Wi-Fi network without any user interaction if you have a vulnerable version of Firefox for Android installed on your device,” said Stefanko.
He went on to warn that successful exploitation of the bug could lead to a phishing attack on public Wi-Fi networks, by requesting personal user information or login credentials from all users connected to the network who were running unpatched versions of the browser. “It makes exploitation of this issue really easy,” he added.
In a write-up of the problem on his GitLab page, Moberly explained that vulnerable versions of the Firefox browser routinely send out SSDP discovery messages, looking for second-screen devices connected to the same local network that they can cast to (imagine a Chromecast, Roku, or similar gizmo).
Devices connected on that local network can respond to these broadcasted messages, providing the location of an XML (eXtensible Markup Language) file containing their configuration details, which Firefox will then attempt to access.
However, that’s the moment when cybercriminals could make their move. “Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself,” said Moberly, shedding some light on how the vulnerability could be exploited. The security researcher added that he reported the vulnerability to Mozilla.
The bug has been fixed with the release of Firefox for Android 79, the direct successor to version 68.11.0. If you’re a Firefox for Android user, we suggest that you check whether you use the browser's version 79, or even better, its latest version (80); if not, you should update your browser immediately.