It is often argued and proven that Mozilla’s Firefox app is more resource-efficient and secure than Google’s Chrome app. Unfortunately, a GitLab security researcher may have burst the bubble with the latter point after he discovered a flaw in the Android version of the app.
The exploit in question was discovered within the SSDP engine for Firefox on Android, and the version is 68.11.0 and below. What is interesting about the exploit is that a hacker can trigger the engine in the app, without any interaction from a phone’s user.
Spicy exploit for firefox 68 on android
Local Area Network SSDP screencast😺 Thanks to @LukasStefanko https://t.co/xxAqcaTJUB
So now you can do this pic.twitter.com/yOLxsqFjAV— 0xcats (@0xCats) September 22, 2020
In fact, all the victim needs to do is to have the FireFox app running on their phone; to be absolutely clear, they do not need to have accessed a malicious website or clicked on a malicious link. They can simply be doing something completely innocent or ordinary, and the attacker will still be able to affect their phones with the exploit.
The end result, as demonstrated by the research is quite hilarious, as he proceeded to play a video loop that he had circulated across several Android devices via the Firefox bug, including a fitness tracker that he was wearing at the time.
The good news is the issue is easily fixed; if you do encounter it on the Firefox app, all you need to do is contact Mozilla directly, and the app’s team will help you with the issue. On a related note, if your Firefox is app on Android is version 79 or later, you should be safe as Mozilla would have already fixed the bug.
