Recently, an Australian security expert, Chris Moberly, has detected a bug in Firefox that lets attackers hijack Firefox for Android browsers under the same wifi networks. And not only this, by using this flaw, the hackers send the users to malicious sites and request them to install the most advanced browser update.
This attack can be leveraged by hackers on the corresponding wifi network and demonstrates as applications on the targeted device abruptly launching, outwardly the users’ permission, and administering all the activities that are provided by the intent.
Apart from this, Chris Moberly also confirmed that the desktop version of Firefox is not vulnerable to this flaw, as this flaw only affects the mobile version of Firefox for Android.
Bug in Firefox for Android
The experts affirmed that the vulnerable Firefox version periodically transmitted the SSDP discovery messages and searched for second-screen devices to cast. All the messages that are transmitted by the hackers were sent through UDP multicast to 220.127.116.11. It means that any device on the same network can detect them.
That’s why if you operate Wireshark on your LAN, then you will see something on your network doing the same. However, any device on the local network can react to these broadcasts and implement a location to receive specific data on a UPnP device.
After that, Firefox will try to access that location, assuming to obtain an XML file according to the UPnP specifications, and this is where the vulnerability occurs. Rather than presenting the location of an XML file describing a UPnP device, the threat actors can run an ill-disposed SSDP server that reacts with a specifically crafted message influencing to an Android intent URI.
The experts have claimed that this vulnerability is not an amazing memory-corruption bug, which can be requested from all over the world. This bug is quite simple, but at the same time, it has a great impact on the victim.
The vulnerability coincides with RCE (remote command execution) in which a remote threat actor can attack the device to complete all unauthorized functions.
This flaw performs all its tasks with zero interaction from the end-user, and that’s why we can say that it’s a wild vulnerability that targets all known-vulnerable intents in other applications.
It is quite similar to the phishing attack in which a malicious site is pressed onto the victim without their prior consent. But, the Enhanced Tracking Protection automatically prevents many known third-party trackers, by default, in order to increase user privacy online.
Not only this, but they also added a private mode that adds another layer for more immeasurable privacy on the device level. This bug was fixed in Firefox 79, but there might be some users who may not be running the latest release.
That’s why the security expert, Chris Moberly, has also issued a proof-of-concept exploit to the public that Stefanko utilized in demonstrating the issue, and you can watch the whole demonstration in the above video.