Bug Allowed Hijacking Other Firefox Mobile Browsers on the Same Wi-Fi Network (zdnet.com) 15
"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet:
The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).
When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...
The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.
When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...
The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.
WTF why is this in a browser? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3)
Shit like this is proof that Firefox jumped the shark years ago and they still wonder why everyone stopped using it. The irony is that it became even more bloated than the bloat it replaced, i.e. Netscape Navigator.
Re: (Score:2)
Exactly!
What is this?
A domain war?
Are they trying to take over all functions of an operating system or what?
Re: (Score:2)
The desire to turn a powerful tool into all tools is very difficult to resist.
Browser as application platform (Score:2)
Are they trying to take over all functions of an operating system or what?
From the start of browser scripting features, browsers have been viewed by some as a way to provide an application platform that enables writing single applications that run on multiple OSes, without explicit per-OS code, or even OS awareness, in the applications themselves.
But the more classes of things the browser platform enables, the more OS features have to be provided in its API. So the tendency, especially in browser market-sh
Re: (Score:2)
This is because products are being designed for the living room, and then deployed outside the living room.
Really all things that use multicast for discovering stuff on the "local network" are following a very old model no longer used in well run enterprises, which was later used to make things plug and play for gadgets in home setups. Using multicast on WiFi is especially cretinous since it consumes airtime. Best-practice networks these days turn it off on the access points... not to mention users are di
Re: (Score:2)
It's one of many protocols that are supposed to make things work "automagically".
It certainly succeeded in making exploits work automagically!
A ploy to make everyone upgrade to 79 (Score:3)
This is discovered less than a month after disastrous release of Firefox 79 which disables old useful features and kills most of extensions. I hope this gets fixed in F-Droid's Fennec which tracks the older Firefox release.
Re: (Score:3)
Living with this bug is better than having to put up with the latest FF POS. How is it that every major upgrade of Firefox is worse than the last?
And they wonder why they are losing market share.
Damn it! (Score:1)
Potential workaround (Score:4, Informative)
The discussion below mentions that users can disable SSDP by going to about:config and toggling browser.casting.enabled to false:
https://bugzilla.mozilla.org/s... [mozilla.org]
This might be a workaround for Firefox for Android users that don't want to use the latest releases.
Re: (Score:3)
Thanks for the tip. Mozilla should have this advice here IMO. https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections [mozilla.org]
Great idea (Score:1)