We recommend that you immediately update Firefox for Android to the latest version if you have not already done so.
Mozilla has fixed a bug that could hijack all Firefox browsers on Android smartphones on the same Wi-Fi network and force users to navigate to malicious sites, according to ZDNet.
The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab.
The actual vulnerability is in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism by which Firefox finds other devices on the same network in order to share or receive content (such as sharing video streams with a Roku device).
When devices are discovered, the Firefox SSDP component retrieves the location of the XML file that stores the device’s configuration.
However, Moberly discovered that in older versions of Firefox, it was possible to hide Android "intent" commands in this XML and force the browser to execute an "intent", which could be a normal command, such as telling Firefox to access a link.
Example of an operating scenario
To better understand how this bug can be exploited, imagine a scenario in which a hacker walks into an airport or mall, connects to a Wi-Fi network, and then runs a script on his laptop that sends malformed SSDP packets over the network .
Any Android owner using the Firefox browser during this type of attack will be forced to go to a malicious site or install a malicious extension.
Another scenario: An attacker targets vulnerable WiFi routers. Hackers can use exploits to hijack outdated routers and then infiltrate a company’s internal network to redirect employees to phishing pages, forcing them to re-authenticate.
Earlier this week, Moberly published a code that can be used to carry out such attacks. Below are two videos in which Moberly and an ESET security researcher demonstrate the attack.
Moberly said he reported the bug to Mozilla earlier this summer.
The bug has been fixed in Firefox 79; however, many users may not have the latest version. Firefox for desktop was unaffected.
We recommend that you immediately update Firefox for Android to the latest version if you have not already done so.