The security of our mobile apps and private data is a very serious matter. This is particularly true for high value targets like web browsers, which often store login credentials that can be used to access many of the websites we use on a regular basis. Unfortunately, browsers are also very complicated applications with an extensive set of features that are difficult to lock down completely. Sebastián Guerrero Selma of viaForensics recently posted a video demonstrating a newly discovered vulnerability in Firefox for Android which would allow hackers to access both the contents of the SD card and the browser's private data. Take a look at the video:

If successfully exploited, the implications of the vulnerability could be disastrous. Naturally, access to files on the SD Card is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications. While permission to read and write to external storage is common for many apps and should already be considered semi-public from a security standpoint, it's generally assumed that those apps will not transmit your files back to a server without asking. However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla thinks should be kept safely tucked away.

For the exploit to take effect, users must simply visit a web page either install an app or open a locally stored HTML file containing a malicious snippet of Javascript. Files are accessed through the standard "file://" URI syntax. Since the data within internal storage has also been encrypted by Firefox, a second exploit is leveraged to install a third-party app which acquires the salted and hashed encryption key stored on the device.

I reached out to Sebastián, and he confirmed that the issue has been responsibly disclosed to Mozilla, along with information on how it can be recreated and a proof-of-concept app as a demonstration. The issue has been marked as fixed with v24, which rolled out to the Play Store on September 17th. Sebastián is also preparing a full technical report to explain the vulnerability in much greater detail. His findings will be posted on the viaForensics blog once the write-up is complete. [Update] Link to Sebastián's full technical write-up.

Much like the vulnerability from a couple of weeks ago, the only way to completely prevent falling victim to this attack is to stop using Firefox for Android. Once Mozilla publishes an update with fixes, it should be safe to resume usage. It is not necessary to uninstall the browser, but it should not be used to visit sites that cannot be completely trusted.

Update: We're being told Mozilla has already fixed the vulnerability in a recent update. I'm reaching out for a solid confirmation.

Update 2: A representative from Mozilla has contacted us with a couple of clarifications. We're told the issue was fixed in Firefox for Android v24, released on September 17th. It also seems that the exploit cannot be executed by a remote web page, but must be activated by loading a local html file or application already on the device. Thanks, Shannon.

Update 3: Sebastián has been in touch to let me know that his original work was limited to an app or locally stored HTML file, but he has since found ways to achieve the exploit remotely. Again, the details have been responsibly disclosed to Mozilla. Of course, with the original vulnerability having already been fixed with v24, a remote attack won't be very effective.

Thanks, Sebastián