Vulnerability discovered in Firefox app for Android potentially allows access to SD card files (VIDEO)
Posted by: Jon Ben-Mayor on 10/01/2013 02:04 PM [ Comments ]
Having a hacker gain access to your mobile browser's private data could be a very costly problem; all of the stored login credentials potentially put in the hands of a cyber-criminal, giving them access to all of your most used websites and equally troubling, access to all the private contents of the SD card.
A recently posted a video from Sebastián Guerrero Selma of viaForensics (see below) demonstrates the newly discovered vulnerability in Firefox for Android which potentially would allow hackers to do exactly what is mentioned above.
Android Police goes on to say that if successfully exploited, the implications of the vulnerability could be disastrous. Naturally, access to files on the SD Card is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications. While permission to read and write to external storage is common for many apps and should already be considered semi-public from a security standpoint, it's generally assumed that those apps will not transmit your files back to a server without asking. However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla thinks should be kept safely tucked away.
For the exploit to take effect, users must either install an app or open a locally stored HTML file containing a malicious snippet of Javascript. Files are accessed through the standard "file://" URI syntax. Since the data within internal storage has also been encrypted by Firefox, a second exploit is leveraged to install a third-party app which acquires the salted and hashed encryption key stored on the device.
Mozilla has been in touch with Android Police and confirms that they have fixed the vulnerability in Firefox for Android v24. It also seems that the exploit cannot be executed by a remote web page, but must be activated by loading a local html file or application already on the device.
Sebastián also was in contact with Android Police staff and says that he has since found ways to achieve the exploit remotely. Again, the details have been responsibly disclosed to Mozilla. Of course, with the original vulnerability having already been fixed with v24, a remote attack won't be very effective.
Android Police goes on to say that if successfully exploited, the implications of the vulnerability could be disastrous. Naturally, access to files on the SD Card is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications. While permission to read and write to external storage is common for many apps and should already be considered semi-public from a security standpoint, it's generally assumed that those apps will not transmit your files back to a server without asking. However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla thinks should be kept safely tucked away.
For the exploit to take effect, users must either install an app or open a locally stored HTML file containing a malicious snippet of Javascript. Files are accessed through the standard "file://" URI syntax. Since the data within internal storage has also been encrypted by Firefox, a second exploit is leveraged to install a third-party app which acquires the salted and hashed encryption key stored on the device.
Mozilla has been in touch with Android Police and confirms that they have fixed the vulnerability in Firefox for Android v24. It also seems that the exploit cannot be executed by a remote web page, but must be activated by loading a local html file or application already on the device.
Sebastián also was in contact with Android Police staff and says that he has since found ways to achieve the exploit remotely. Again, the details have been responsibly disclosed to Mozilla. Of course, with the original vulnerability having already been fixed with v24, a remote attack won't be very effective.
Comments