October 24, 2020

Firefox for Android vulnerability let attacker hijack devices

2 min read

Mozilla has recently fixed a vulnerability in the Android version of Firefox. Attackers can use the vulnerability to hijack the user’s browser.

Researchers claim that if they successfully exploit the vulnerability, they can even hijack all the Android Firefox browsers in the local area network and force users to open malicious and phishing websites.

The researcher reported the vulnerability to Mozilla and was confirmed. Mozilla quickly fixed the vulnerability and submitted it to the app store to wait for user updates.

The vulnerability lies in the Simple Service Discovery Protocol (SSDP) component used by the Android version of Firefox. SSDP is a simple service discovery protocol that can be used to find specific devices in the local area network.

The Android version of Firefox uses this protocol to find other devices in the local area network for content sharing or reception, such as sharing videos on a set-top box.

After finding the device, the browser component will automatically obtain the device configuration storage location, and the discovery protocol used in the old version of Firefox has a specific vulnerability.

Attackers can use the vulnerability to send malformed data packets through scripts, allowing Firefox to use them as regular commands to execute and operate tasks.

Although it sounds like this vulnerability is not very serious, in fact, attackers can weaponize the vulnerability and launch large-scale attacks in a variety of specific scenarios.

For example, a public wireless network is provided in an airport or a train station. As long as the attacker connects to the wireless network, it can send data packets to manipulate all Firefox browsers.

Attackers can also choose to attack certain routers. After controlling the routers through other vulnerabilities, they can use Firefox vulnerabilities to send junk packets on the company’s intranet.

Force employees who use the Android version of the Firefox browser to automatically open the phishing authentication interface, and then induce employees to enter their account and password on the authentication interface.

Both of the above two scenarios can launch large-scale attacks. Attackers can easily send advertisements and spam to users or even open phishing websites.

After fixing the vulnerability, Mozilla warned all users to upgrade to the latest version. This vulnerability only affects Firefox for the Android version and does not affect the Firefox desktop version.

Researchers have released a proof-of-concept video to exploit this vulnerability. Therefore, users who use Firefox for Android should also upgrade to the latest version as soon as possible to prevent hijacking. The researcher’s proof of concept video can be viewed here.