Android's Firefox app Vulnerability allows hacker to steal files from SD card

Go down

Android's Firefox app Vulnerability allows hacker to steal files from SD card Empty Android's Firefox app Vulnerability allows hacker to steal files from SD card

Post by The Boss on 2014-08-31, 9:13 pm

Android's Firefox app Vulnerability allows hacker to steal files from SD card Android%27s+Firefox+app+Vulnerability+allows+hacker+to+steal+files+from+SD+card

Mobile Browsers are complicated applications and locking them down against threats is extremely difficult. According to a Mobile Security Researcher, Sebastián Guerrero from 'viaForensics', Android's Firefox browser app is vulnerable to Hackers.

He responsibly disclosed the details to Mozilla, that allows hackers to access both the contents of the SD card and the browser's private data.

He posted a video showing how hackers will be able to access data on the device. The flaw works only if a user install a malicious application or opened a locally stored HTML file in the vulnerable Firefox app that included

[You must be registered and logged in to see this link.]

Files are accessed through the standard “file://” URI syntax. Firefox encrypts the data stored in internal storage which is why hackers also introduce a third-party app which gets the encrypted keys stored on the device.

"However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla think should be kept safely tucked away." Androidpolice blog explained.

We contacted Sebastián to get more details, please find a quick FAQ on the matter as follows:

Q. Can an attacker host the malicious Javascript code HTML file on a server to exploit the flaw remotely by making victim to visit the website only ?
A. The exploit cannot be executed by a remote web page. This flaw works only if you install an application, but there is another vulnerability in Firefox that could allow an attacker to install applications without user's knowledge. I disclosed it to  the Firefox, but other researcher did the same before me.

But it's possible to host the malicious HTML file somewhere and using some social engineering , attacker can make victim to download and execute the file locally on their Firefox app.

Q. To steal the files from the victim's SD card, an attacker need to pre-define the file names or folder path in the exploit code ?
A. Nope, there is no need to specify the path, because I'm obtaining the salted folder generated by Firefox at runtime, due to a vulnerability. So I can make a copy of the SDcard, because the path will be always /sdcard, and for the private folder locates at /data/data/org.mozilla. Firefox, I'm obtaining at runtime the salted profile generated.

Q. Where and how stolen files will be uploaded ?
A. You can upload it where you want i.e. Using exploit code we are opening a socket connection against the remote FTP server to upload stolen files.

Q. Is there any CVE ID or Mozilla's Security Advisories ID defined for the Vulnerability yet ?
A. As far as I know there isn't a CVE assigned to this vulnerability.

Mozilla has patched the vulnerability in patched in Firefox 24 for Android. Just few weeks back a Russian hacker put up a Zero-day Exploit for sale, that forces the Android Firefox browser to download and execute a malicious app.
The Boss
The Boss

Posts : 481
Join date : 2014-07-14

View user profile

Back to top Go down

Back to top

- Similar topics

Permissions in this forum:
You cannot reply to topics in this forum