Security News > 2020 > September > A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store.

Discovered originally by Australian security researcher Chris Moberly, the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed.

Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device, after which, Firefox attempts to access that location, expecting to find an XML file conforming to the UPnP specifications.

According to the vulnerability report Moberly submitted to the Firefox team, the SSDP engine of the victims' Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI. For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox-without requiring any interaction from the victims.

Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/q-dRKh06seo/firefox-android-wifi-hacking.html