Mozilla fixed a bug that could have let attackers hijack any Firefox Android browser sharing the same Wi-Fi network.
Firefox Android web browser users must upgrade to the latest available version of the Firefox Android app to prevent their devices from being hijacked. The reason is a vulnerability that attackers can exploit to hijack all Firefox web browsers on the same network.
Chris Moberly, an Australian security researcher associated with GitLab, identified a remote command execution vulnerability in the SSDP (Simple Service Discovery Protocol) engine of the older versions of Firefox web browser for Android phones.
This vulnerability can be exploited to compromise all the devices connected to the same wireless network as the attackers, and having the Firefox app installed.
Later, ESET security researcher Lukas Stefanko posted a tweet to alert Firefox web browser users and demonstrated how the high-risk vulnerability could affect the Firefox app for Android.
SSDP is a UDP-based protocol and part of Universal Plug and Play (UPnP). It is used for locating other devices connected to the same Wi-Fi network to share/receive content such as shared video streams using a Roku device.
Firefox for Android devices periodically sends out SSDP discovery messages to the mobile phones connected to the same network to find second-screen devices to cast. After locating the connected devices, the Firefox SSDP component tracks the location of an XML file, which stores the device’s configuration details.
Android users browsing the web via Firefox will get their mobile hijacked. Once compromised, the browser will launch automatically and redirect the user to phishing pages where they will have to enter their credentials, load malicious sites, or install malicious Firefox extensions.
Alternately, the attack can target vulnerable Wi-Fi routers and may leverage exploits to compromise outdated routers. Then they could spam the internal networks of a company and force its staff to re-authenticate on phishing sites.
Exploitation of LAN vulnerability found in Firefox for Android
I tested this PoC exploit on 3 devices on same wifi, it worked pretty well.
I was able to open custom URL on every smartphone using vulnerable Firefox (68.11.0 and below) found by @init_string https://t.co/c7EbEaZ6Yx pic.twitter.com/lbQA4qPehq
— Lukas Stefanko (@LukasStefanko) September 18, 2020
As per Moberly’s findings, older versions of Firefox can hide Android’ intent’ commands in the XML file, due to which Firefox browser executes this command. It could be any regular command, such as forcing Firefox to access a link.
“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control,” Moberly explained.
He published a proof-of-concept earlier this week explaining how such attacks would be carried out. He also reported the vulnerability to the Firefox team. Mozilla has now patched this flaw, and users must immediately switch to Android versions 80 or above.