A very serious security hole has been discovered in Firefox for Android that allows a website to force the browser to download and run potentially damaging files, usually without the user's knowledge or interaction. The vulnerability was first described and demonstrated publicly on September 9th as part of a posting meant to advertise the attack as being for sale. The method for exploiting the weakness simply requires a webserver to instruct Firefox for Android to initiate a download, after which the downloaded file is automatically opened or executed (depending on the file type).

Here's a demonstration using an apk crafted to look like an update to Firefox:

While the demo video above uses an apk and relies on a user being tricked into installing it, the potential vectors of attack aren't restricted simply to apks and can possibly leverage other weaknesses on a device. Mozilla's browser, like many others, allows a server to begin sending a file without first prompting the user. Unlike other browsers, Firefox for Android also automatically attempts to open the file based on the file associations registered in the system, similar to the way desktop systems open a file when it is double-clicked. The real danger here is that the user is never prompted before the file is opened.

To fall victim to this attack, a person would merely have to be using Firefox for Android to visit a malicious site, or one that has been compromised. Given the popularity of hacking heavily trafficked sites, like MIUI.us just 2 weeks ago, this would be an easy method for infecting quite a few devices, especially if done very subtly.

Unfortunately, there is no clear way to disable this behavior in Firefox for Android. Due to the simplicity of exploiting the weakness and its potential for serious damage, we strongly recommend using an alternate browser until Mozilla changes this behavior to be more secure and less attractive to attackers.

Source: Inj3ct0r