Opening a malicious website can hack all devices connected to a WiFi network: New Mozilla flaw

Mozilla developers have fixed a critical bug that could have been exploited to hijack any version of the Firefox browser for Android, forcing the target user to access malicious sites.

Chris Moberly, GitLab researcher, found this flaw, further mentioning that exploitation requires the threat actor to be connected to the same WiFi network as the compromised smartphone. 

According to the report, the flaw lies in the Simlpe Service Discovery Protocol (SSDP) component of the mobile browser, which is responsible for finding other devices on the same network to share or receive content. In other words, this is the component that allows you to share video streams with platforms such as YouTube, Roku, among others.  

When a device is found, the SSDP component gets the location of an XML file where the device’s settings are stored. The expert discovered that in previous versions of Firefox, it is possible to hide Android “intent” commands, allowing the mobile browser to execute such commands, generating anomalous behavior in Firefox.

“Let’s imagine a hacker entering an airport or mall, connecting to the site’s WiFi network, and launching a script that sends spam through specially designed SSDP packets; this activity would compromise any Android device with Firefox mobile installed, which could lead to phishing attacks, installation of malicious extensions, among other scenarios,” the expert says.

In another attack scenario described, threat actors could take advantage of failures on the most insecure routers to spam an organization’s networks and steal users’ login credentials. The researcher posted some videos along with his proof of concept.

The report was presented to Mozilla a few months ago, so the Firefox 79 update was released to fix the flaws, although it is very likely that many users will not yet upgrade to the corrected version. Firefox desktop versions were not affected by this flaw. In this regard, Mozilla did not add further technical details of the flaw, although it recommended users to upgrade to newer versions.