Last Updated: October 2nd, 2013

The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data. Take a look at the video:

If successfully exploited, the implications of the vulnerability could be disastrous. Naturally, access to files on the SD Card is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications. While permission to read and write to external storage is common for many apps and should already be considered semi-public from a security standpoint, it's generally assumed that those apps will not transmit your files back to a server without asking. However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla thinks should be kept safely tucked away.

For the exploit to take effect, users must simply visit a web page either install an app or open a locally stored HTML file containing a malicious snippet of Javascript. Files are accessed through the standard "file://" URI syntax. Since the data within internal storage has also been encrypted by Firefox, a second exploit is leveraged to install a third-party app which acquires the salted and hashed encryption key stored on the device.

I reached out to Sebastián, and he confirmed that the issue has been responsibly disclosed to Mozilla, along with information on how it can be recreated and a proof-of-concept app as a demonstration. The issue has been marked as fixed with v24, which rolled out to the Play Store on September 17th. Sebastián is also preparing a full technical report to explain the vulnerability in much greater detail. His findings will be posted on the viaForensics blog once the write-up is complete. [Update] Link to Sebastián's full technical write-up.

Much like the vulnerability from a couple of weeks ago, the only way to completely prevent falling victim to this attack is to stop using Firefox for Android. Once Mozilla publishes an update with fixes, it should be safe to resume usage. It is not necessary to uninstall the browser, but it should not be used to visit sites that cannot be completely trusted.

Update: We're being told Mozilla has already fixed the vulnerability in a recent update. I'm reaching out for a solid confirmation.

Update 2: A representative from Mozilla has contacted us with a couple of clarifications. We're told the issue was fixed in Firefox for Android v24, released on September 17th. It also seems that the exploit cannot be executed by a remote web page, but must be activated by loading a local html file or application already on the device. Thanks, Shannon.

Update 3: Sebastián has been in touch to let me know that his original work was limited to an app or locally stored HTML file, but he has since found ways to achieve the exploit remotely. Again, the details have been responsibly disclosed to Mozilla. Of course, with the original vulnerability having already been fixed with v24, a remote attack won't be very effective.

Thanks, Sebastián

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Guest

    Hmm, i thought that, when storing data on the SD card, the app can define if other apps can or cannot read it.

  • rsimon24

    Well, Firefox is still the best crossplatform for android. In my case ive used chrome, opera, dolphin, you name it, they suck when syncing with your mac comes into game, perse chrome on my mac sucks, pictures dont load, youtube is a mess, chrome works on my nexus but sucks on my mac, opera is stilling breast feeding, dolphin is a dreamer, Firefox is a champ, its not perfect, but it works on my mac and on my android device as it promises... Surely an update will come next hours.

    • http://www.LOVEanon.org/ Michael Oghia (Ogie)

      I have a MacBook as well, but use Firefox on my Nexus. I really like the functionality (and Mozilla always gets massive brownie points with me for being community-based and open-sourced).

  • http://www.geordienorman.com/ G Byers

    Linkbait and a non-story

    • mechapathy

      Downvote bait.

  • Anonymous

    No "never remember history" option.
    No "keep top bar always on, even when you have scrolled all the way down" option.

    Why is my favorite and most flexible PC browser so shit on mobile.

  • ikaruga

    Looks like Mozilla is dropping the ball. They're on top of security on the desktop so what gives?