[ad_1]
Image: Lukas Stefanko
Mozilla has fixed a bug that can be abused to hijack all Firefox for Android browsers on the same WiFi network and force users to access malicious sites, such as phishing pages.
The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab.
The real vulnerability lies in the SSDP component of Firefox. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network to share or receive content (that is, share video footage with a Roku device).
When devices are found, the Firefox SSDP component gets the location of an XML file where the settings for that device are stored.
However, Moberly found that in previous versions of Firefox, you could hide the Android “intent” commands in this XML and have the Firefox browser execute the “intent”, which could be a regular command like telling Firefox to access a link.
Example of exploitation scenario
To better understand how this bug could be turned into a weapon, imagine a scenario where a hacker enters an airport or shopping mall, connects to the WiFi network, and then launches a script on your laptop that sends spam to the network with malformed SSDP packets.
Any Android owner who uses a Firefox browser to browse the web during this type of attack will have their mobile browser hijacked and taken to a malicious site, or will be forced to install a malicious Firefox extension.
Another scenario is if an attacker targets vulnerable WiFi routers. Attackers could exploit vulnerabilities to take over outdated routers and then spam a company’s internal network and force employees to re-authenticate on phishing pages.
Earlier this week, Moberly published proof-of-concept code that could be used to carry out such attacks. Below are two videos from Moberly and an ESET security researcher demonstrating the attacks.
Moberly said it reported the bug to Mozilla earlier this summer.
The bug was fixed in Firefox 79; however, many users may not be running the latest version. The desktop versions of Firefox were not affected.
When contacted for comment, a Mozilla spokesperson recommended that users update to the latest version of Firefox for Android to be safe.
