Image: Lukas Stefanko
Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same WiFi network and force users to access malicious sites, such as phishing pages.
The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab.
The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).
When devices are found, the Firefox SSDP component gets the location of an XML file where that device’s configuration is stored.
However, Moberly discovered that in older versions of Firefox, you could hide Android “intent” commands in this XML and have the Firefox browser execute the “intent,” which could be a regular command like telling Firefox to access a link.
Sample exploitation scenario
To better understand how this bug could be weaponized, imagine a scenario where a hacker walks into an airport or mall, connects to the WiFi network, and then launches a script on their laptop that spams the network with malformed SSDP packets.
Any Android owner using a Firefox browser to navigate the web during this kind of attack would have his mobile browser hijacked and taken to a malicious site, or forced to install a malicious Firefox extension.
Another scenario is if an attacker targets vulnerable WiFi routers. Attackers could leverage exploits to take over outdated routers, and then spam a company’s internal network and force employees to re-authenticate on phishing pages.
Earlier this week, Moberly published proof-of-concept code that could be used to carry out such attacks. Below are two videos of Moberly and an ESET security researcher demonstrating attacks.
Moberly said he reported the bug to Mozilla earlier this summer.
The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.
Reached for comment, a Mozilla spokesperson recommended that users upgrade to the latest version of Firefox for Android to be safe.