Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store.
ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android.
Discovered originally by Australian security researcher Chris Moberly, the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed.
SSDP, stands for Simple Service Discovery Protocol, is a UDP based protocol that is a part of UPnP for finding other devices on a network. In Android, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network, looking for second-screen devices to cast.
Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device, after which, Firefox attempts to access that location, expecting to find an XML file conforming to the UPnP specifications.
According to the vulnerability report Moberly submitted to the Firefox team, the SSDP engine of the victims' Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.
For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox—without requiring any interaction from the victims.
Activities allowed by the intent also includes automatically launching the browser and open any defined URL, which, according to the researchers, is sufficient to trick victims into providing their credentials, install malicious apps, and other malicious activities based on the surrounding scenarios.
"The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe's Wi-Fi, and their device will start launching application URIs under the attacker's control," Moberly said.
"it could have been used in a way similar to phishing attacks where a malicious site is forced onto the target without their knowledge in the hopes they would enter some sensitive info or agree to install a malicious application."
Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.
Moberly has also released a proof-of-concept exploit to the public that Stefanko used to demonstrate the issue in the above video against three devices connected to the same network.