Mozilla rolled out rapid fix to address critical browser privacy issue
A vulnerability in the mobile version of the Firefox browser exposed victims’ local files to attackers if they visited a specially crafted web page.
The security bug, which impacted mobile devices running the Android Firefox app, allowed a malicious website to steal sensitive files, including cookies from any previously visited site.
This was due, in part, to the way Firefox uses content:// URIs, which enable Android devices to identify data in a content provider and can represent various files or database information.
Security researcher Pedro Oliveira, who discovered the bug, explained: “When I tested Firefox’s use of content URIs, I noticed the address bar was changing while rendering the URI, redirecting me to a file:// URI.”
He added: “It appeared that Firefox was saving the content to a file, and then redirecting me to that [newly] created file – the file was being saved in the internal temporary folder /data/data/org.mozilla/firefox/cache/contentUri/.”
Keep URIs open
In a detailed blog post published earlier today (November 16), Oliveira demonstrated how he was able to take advantage of the Same Origin Policy, which allows files to access their own contents, in order to force Firefox to dump sensitive files, including cookie information.
“I started off with simple testing,” he explained. “I needed to retrieve the contents of a private file by opening a file from the external directory.
“In this case I chose /data/user/0/org.mozilla.firefox/files/mozilla/profiles.ini. This file contains information on where the cookie database is stored in the device.”
To retrieve this file, the researcher created a file with the same name, saving it in /sdcard/Download/profiles.ini.
To load the script, he created an iframe in the same file that “loads a content:// URI pointing to the file we are actually trying to read”.
“By opening with a content:// URI, we will leverage Firefox’s copying of the file to another location and accessing it via file://,” he said.
Given that the exploit leverages Firefox’s content provider, it could be used to access any file on the device.
Armed with the above information, Oliveira demonstrated how a malicious webpage could trigger the automatic download of the profiles.ini file.
He then employed the use of Intent URIs to continue making use of Firefox moving the downloaded file to its internal directory.
He wrote: “It was possible to steal files from the device solely by having the victim visit a webpage.
“In a real attack scenario, the malicious file would send the contents read to an attacker-controlled server, rather than outputting the contents in an alert modal.”
The issue was patched by Mozilla in less than a month, earning Oliveira a $5,000 bug bounty reward.
“This just shows how seriously these guys take security issues in their platforms,” he said.