Firefox flaw let hackers hijack Android browser over Wi-Fi

Mozilla has rushed out a fix for the bug that bears resemblance to an RCE flaw

A security flaw could have allowed cyber criminals to hijack vulnerable Firefox for Android browsers running on devices joined up to the same Wi-Fi network.

The vulnerability, which has been patched by Mozilla, allowed hackers to force users into visiting sites hosting malicious content, which could subsequently be used to execute phishing attacks or download malware to their devices.

Discovered by ESET security researcher Chris Moberly, the bug lies in Firefox’s Simple Service Discovery Protocol (SSDR), a network protocol for advertisement and the discovery of network services and presence information.

Vulnerable iterations of the Firefox for Android browser, noted as being versions 68.11.0 and below, routinely send out SSDP discovery messages in order to seek out a second-screen device connected to the same local network. 

Devices connected to the local network can respond to these messages, providing the location of an eXtensible Markup Language (XML) file containing their configuration details, which Firefox will attempt to access.

“This is where the vulnerability comes in,” Moberly explained on his GitLab page detailing the nature of the exploit. 

“Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.”

This fairly straightforward logic bug would allow cyber criminals to click links on other users’ phones via the Firefox browser. Moberly added the vulnerability resembles remote code execution (RCE) in that a remote attacker can trigger the device to perform unauthorised functions with no interaction from the end-user.

Should the bug had been used in the wild, it could have targeted known vulnerabilities in other applications, or it could have been deployed in a way similar to phishing, where a malicious site is thrust upon a victim without their knowledge.

The bug was reported to Mozilla as soon as it was discovered, and the organisation responded immediately, confirming it was not present in the newest version of the browser. Mozilla also opened issues to ensure the offending code was not re-introduced at a later stage.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020