Mozilla has patched a bug that can be exploited to capture all the Firefox for Android browsers on the same WiFi network, forcing users to access malicious websites.
Chris Moberly, an Australian security researcher working for GitLab, discovered the bug.
The actual flaw rests in the Firefox SSDP section. When devices are discovered, the Firefox SSDP component gets the site of an XML file where that device’s configuration is kept.
Nevertheless, Moberly revealed that in older versions of Firefox, Android “intent” commands in this XML can be hidden and the Firefox browser can be performed.
To better comprehend how this bug could be weaponized, imagine a situation where a cybercriminal walks into an airport or mall, links to the WiFi network, and then mounts a script on their laptop that spams the network with distorted SSDP packets.
Any Android owner using a Firefox browser to steer the web during this kind of attack would have his mobile browser appropriated and taken to a malicious website, or compelled to install a malicious Firefox extension.
Another situation is if an attacker targets susceptible WiFi router. Attackers could influence exploits to capture outmoded routers, and then spam a company’s internal network and force employees to re-authenticate on phishing pages.
Moberly published proof-of-concept code that could be used to launch such attacks. Below are two videos of Moberly and an ESET security researcher demonstrating attacks.