A serious bug exists in Firefox for Android browsers that allows hijacking other phones’ browsers connected on the WiFi. Upgrade your phones Firefox browsers at the earliest.
Firefox Android Bug Allow Browser Hijacking
Researchers have found a serious bug in Firefox for Android browser. Exploiting the vulnerability allows an adversary to hijack the Firefox browser on other phones connected to the same WiFi network.
As explained in a post, the vulnerability Simple Service Discovery Protocol (SSDP) component of the Firefox browser. It empowers Firefox to discover other devices on the same network. Hence, it facilitates remote sharing of data, such as streaming with Roku.
Upon discovering the devices, Firefox SSDP receives the location of an XML file that conforms to the UPnP specifications.
That is where the bug existed. According to the researcher, Chris Moberly,
Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.
Exploiting the bug was not so difficult as it required no user interaction. Successful attacks could allow an attacker to open malicious links on other devices to conduct phishing attacks, or, to install malicious apps on the devices by displaying malicious prompts.
The researcher has shared the technical details and PoC exploit in his post. Also, he shared the following video demonstrating the attack.
Found a neat little Firefox for Android bug. Current version is not vulnerable, please make sure you are up to date. 🙂 https://t.co/p31XPGBsze pic.twitter.com/coG3tcMiAI
— initstring (@init_string) September 15, 2020
Whereas, Lukas Stefanko of ESET also shared a PoC.
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
Update To Firefox 79
Moberly found that the vulnerability affected Firefox for Android browser versions 68.11.0 and below. Upon discovering the bug, he reached out to Mozilla who then confirmed that the flaw did not affect their latest release Firefox 79 for Android.
This vulnerability typically affects Firefox for Android browsers; the desktop versions remain unaffected.
Since the patch is already out, all Android users having Firefox browsers on their devices must update the browser.