A new vulnerability in Mozilla Firefox for Android was just discovered. The vulnerability was made public by security researcher Lukas Stefanko who disclosed it in a Twitter alert. The vulnerability is high-risk and it can lead to remote code execution. Android users that use the mobile version of the Firefox browser should update to the latest version, version 80.
It is noteworthy that the flaw was first discovered by Australian researcher Chris Moberly. The researcher says that the bug is located in the SSDP engine in Firefox for Android (68.11.0 and below), which “can be tricked into triggering Android intent URIs with zero user interaction.”
How can the vulnerability in Android Mobile be exploited?
This can be exploited by attackers on the same WiFi network via applications on the target device which launch suddenly, without the user’s permission. The only condition for this attack to take place on Android devices is the presence of Firefox running. Potential victims don’t need to visit any malicious sites or interact with malicious links. “No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s WiFi, and their device will start launching application URIs under the attacker’s control,” Moberly explains.
It’s also worth mentioning that Moberly came across the issue while the version 79 of Firefox Mobile was being rolled out globally. Google Play Store was still serving a vulnerable version at this time, but only for a short period, he says. The researcher reported the issue directly to Mozilla. Fortunately, Mozilla was quick to respond and “pleasant to work with”, as they provided useful information on the origin of the flaw. They also confirmed that the vulnerable functionality wasn’t part of the newest version of the browser, and made sure that the vulnerable code was not re-introduced at a later stage.
As long as you have app updates enabled and have recently connected to WiFi, you should have received the new version and are safe from exploitation. You can verify this yourself by opening Firefox on your device, clicking the three dots next to the address bar, and navigating to “Settings -> About Firefox”, Moberly noted.
In conclusion, users that have version 79 or above of Firefox Mobile for Android are safe.