Mozilla has fastened a bug that may be abused to hijack all of the Firefox for Android browsers on the identical WiFi community and power customers to entry malicious websites, akin to phishing pages.
The bug was found by Chris Moberly, an Australian safety researcher working for GitLab.
The precise vulnerability resides within the Firefox SSDP part. SSDP stands for Easy Service Discovery Protocol and is the mechanism by way of which Firefox finds different gadgets on the identical community with the intention to share or obtain content material (i.e., akin to sharing video streams with a Roku system).
When gadgets are discovered, the Firefox SSDP part will get the placement of an XML file the place that system’s configuration is saved.
Nonetheless, Moberly found that in older variations of Firefox, you possibly can conceal Android “intent” instructions on this XML and have the Firefox browser execute the “intent,” which may very well be a daily command like telling Firefox to entry a hyperlink.
Pattern exploitation state of affairs
To raised perceive how this bug may very well be weaponized, think about a state of affairs the place a hacker walks into an airport or mall, connects to the WiFi community, after which launches a script on their laptop computer that spams the community with malformed SSDP packets.
Any Android proprietor utilizing a Firefox browser to navigate the online throughout this sort of assault would have his cellular browser hijacked and brought to a malicious website, or compelled to put in a malicious Firefox extension.
One other state of affairs is that if an attacker targets weak WiFi routers. Attackers might leverage exploits to take over outdated routers, after which spam an organization’s inner community and power staff to re-authenticate on phishing pages.
Earlier this week, Moberly printed proof-of-concept code that may very well be used to hold out such assaults. Beneath are two movies of Moberly and an ESET safety researcher demonstrating assaults.
Moberly mentioned he reported the bug to Mozilla earlier this summer season.
The bug was fastened in Firefox 79; nevertheless, many customers will not be operating the newest launch. Firefox for desktop variations weren’t impacted.
Reached for remark, a Mozilla spokesperson beneficial that customers improve to the newest model of Firefox for Android to be protected.