Mozilla wants Firefox for Android users to immediately update to v79 (in case they haven’t already). A new security bug has been discovered in Firefox for Android that compromises the mobile browser via Wi-Fi. Mozilla has already patched things up and in case you are a Firefox for Android user, you need to update the app as soon as possible.
Firefox for Android LAN Attack
This bug was discovered by Chris Moberly, an Australian security expert with a GitHub alternative platform called GitLab. As explained by him, the SSDP engine in older Firefox for Android is responsible for the bug. In older versions of Firefox for Android v68.11.0 and below, attackers can exploit the SSDP engine. This way, attackers trick users into “triggering Android URIs with zero user interaction.”
This attack is sophisticated for several reasons. For instance, it doesn’t require the target to access any malicious websites using Firefox for Android. It makes the attack extremely difficult to detect since there’s no obvious foul play at the display. It neither tricked Firefox for Android users into installing a malicious file on their mobile nor carried out any Man-in-the-Browser attack.
Found a neat little Firefox for Android bug. Current version is not vulnerable, please make sure you are up to date. 🙂 https://t.co/p31XPGBsze pic.twitter.com/coG3tcMiAI
— initstring (@init_string) September 15, 2020
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s WiFi, and their device will start launching application URIs under the attacker’s control,” Moberly explained.
Moberly came across the bug at the time Mozilla was rolling out the Firefox for Android v79. Accordingly to Moberly, Google Play Store briefly pushed a vulnerable version for users to install. After he reported the bug to Mozilla, the company acknowledged the issue and outlined where it came from. Mozilla then confirmed that the vulnerability was excluded in the newest version and patched things up.
If you have enabled automatic app updates, you must have received the update to your Firefox for Android immediately after connecting to Wi-Fi. If you aren’t sure about the version installed on your Android, navigate to Settings > About Firefox.
If your Firefox for Android is already on version 79 or above, you have absolutely nothing to worry about anymore.