Mozilla addresses major Firefox for Android vulnerability




Mozilla addresses major Firefox for Android vulnerability

A completely new vulnerability in the Firefox browser for Android devices that could have given hackers access to both the contents of a handset’s SD card and the browser’s private data, was recently uncovered. The loophole was first discovered by an ethical hacker from viaForensics, Sebastián Guerrero Selma, who also detailed how the exploit could be conducted, according to Android Police.


Selma disclosed the issue to Mozilla, along with information about how it can be recreated as well as a proof-of-concept app as a demonstration. The company has now said that the vulnerability has been fixed with the v24 update, rolled out via the Play Store on September 17.


App data is stored in the internal storage and even the user is prevented from accessing it directly, except when they have root access. The vulnerability discovered by Selma allowed hackers to get inside the secured folder that Firefox has created. The hack, according to Selma can be launched remotely or by the user by executing a local malicious HTML file or installing a malicious app. If successful, the hacker can access cookies, login credentials, bookmarks or anything else that Mozilla is safely putting inside its private folder. Take a look at the proof-of-concept video put up by the ethical hacker to see how the vulnerability works:


Accessing a user’s SD card cxould have severe repercussions depending on what is stored. Apps traditionally do not have the ability to send personal files to a secondary server without prior consent. But the actual permission of reading and writing to external storage within the device is often given to most browsers, in an attempt to make surfing easier.


A representative from Mozilla told Android Police that with the v24 update the exploit cannot be made by a remote web page, but can be performed if the user executes a local malicious HTML file or installing a malicious app.



ReadMore:Android Games

No comments:

Post a Comment