Sebastián Guerrero from 'viaForensics', Android's Firefox browser app is vulnerable to Hackers.
He responsibly disclosed the details to Mozilla, that allows hackers to access both the contents of the SD card and the browser's private data.
Successful Exploitation allows attacker to access to files on the SD Card including all of users’ cookies, login credentials, bookmarks etc. This is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications.
Files are accessed through the standard “file://” URI syntax. Firefox encrypts the data stored in internal storage which is why hackers also introduce a third-party app which gets the encrypted keys stored on the device.
"However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla think should be kept safely tucked away." Androidpolice blog explained.
We contacted Sebastián to get more details, please find a quick FAQ on the matter as follows:
A. The exploit cannot be executed by a remote web page. This flaw works only if you install an application, but there is another vulnerability in Firefox that could allow an attacker to install applications without user's knowledge. I disclosed it to the Firefox, but other researcher did the same before me.
But it's possible to host the malicious HTML file somewhere and using some social engineering , attacker can make victim to download and execute the file locally on their Firefox app.
Q. To steal the files from the victim's SD card, an attacker need to pre-define the file names or folder path in the exploit code ?
A. Nope, there is no need to specify the path, because I'm obtaining the salted folder generated by Firefox at runtime, due to a vulnerability. So I can make a copy of the SDcard, because the path will be always /sdcard, and for the private folder locates at /data/data/org.mozilla. Firefox, I'm obtaining at runtime the salted profile generated.
Q. Where and how stolen files will be uploaded ?
A. You can upload it where you want i.e. Using exploit code we are opening a socket connection against the remote FTP server to upload stolen files.
Q. Is there any CVE ID or Mozilla's Security Advisories ID defined for the Vulnerability yet ?
A. As far as I know there isn't a CVE assigned to this vulnerability.
Mozilla has patched the vulnerability in patched in Firefox 24 for Android. Just few weeks back a Russian hacker put up a Zero-day Exploit for sale, that forces the Android Firefox browser to download and execute a malicious app.