Firefox App for Android can get hijacked due to high-risk vulnerability

Flaw residing in the SSDP engine lets hackers exploit browsers on Android phones connected to the same Wi-Fi network

Mozilla recommends to update Firefox browser for all Android users because they found and fixed a new vulnerability.

The new Mozilla Firefox browser vulnerability allows hackers to exploit targeted Android phones if they are connected to the same Wi-Fi network as the attacker and have the Firefox browser installed in their devices.^[1] By using this bug, hackers can automatically launch the victim's browser and open any defined URL on the phone. It's a sufficient way to trick victims into installing malicious apps, providing their credentials, and more.

The bug resides in the SSDP engine of the browser. SSDP^[2] (Simple Service Discovery Protocol) is a text-based protocol that is part of UPnP for finding devices on a network. In Android phones, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network. This way browser is looking for second-screen devices to cast.

Any phone on the local network can respond to these messages and provide a location to obtain detailed information on the device. After that, Firefox tries to access that location to find an XML file because the browser wants to confirm the UPnP specifications.

But the SSDP engine of the victim's browsers can be tricked into triggering an Android intent by simply replacing the location of the XML file in the response packets with a specially created message pointing to an Android intent URI. That's how the hacker can run a malicious SSDP server on his device and trigger command on nearby Android phones through a vulnerable Firefox browser.

The victim becomes a target without any malicious app on the phone

The bug was firstly discovered by an Australian security researcher Chris Moberly.^[3] He reported the vulnerability to Mozilla and explained how dangerous it is for all Android users:

The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe's WiFi, and their device will start launching application URIs under the attacker's control.

He also said that this bug could be used in a similar way like phishing attacks^[4] because hacker delivers a malicious site redirect to victims with the hope that they would enter sensitive information or agree to install a malicious app.

ESET security researcher Lucas Stefanko also tweeted^[5] an alert to demonstrate the exploitation of this Firefox app for Android vulnerability. He said that he was able to open a custom URL on three smartphones using vulnerable Firefox (68.11.0 and below).

Mozilla recommends updating the Firefox browser to the newest version

Chris Moberly reported this bug to Mozilla developers a few weeks back. Mozilla team has now fixed this vulnerability by creating a patch in the new Firefox app for Android versions. But if Android users want to be secure again, they should update their browser to the newest Firefox version as soon as possible. All users should use 80 or later versions.

If you don't know which version you are using, you can verify it by using these easy instructions:

1. open Firefox on your Android device,
2. click three dots next to the address bar,
3. go “Settings” and click “About Firefox”.

Your device is safe if the Firefox version is 79 or above, so you do not need to take any additional measures. Also, as we already wrote, this vulnerability impact only the mobile Mozilla Firefox version, the desktop version users cannot be affected by this exploitation.