14 DAY TRIAL // Firefox for Android 24 brought along one major security patch to all users out there, one that was meant to prevent the browser from allowing access to files and data stored on the SD card.
The security flaw was discovered by Sebastián Guerrero Selma of viaForensics, who informed Mozilla on the matter, which resulted in the release of said patch.
However, following the update, he also provided specific info on what the breach was all about, and published a video to demonstrate it.
As Android Police notes, the vulnerability was a major one, given that it offered access not only to the browser’s private data, but also to the contents of the SD card inside affected devices.
Basically, the flaw could potentially allow a hacker to access all of users’ cookies, login credentials, bookmarks, and the like.
However, the vulnerability could have been exploited only in the event that the user installed an application or opened a locally stored HTML file that included malicious Javascript code.
The security issue allowed for files to be accessed through the standard "file://" URI syntax, it seems.
Furthermore, a second exploit, based on Firefox’s ability to encrypt data within internal storage, could allow for the installation of a third-party app, which would then access the salted and hashed encryption key on the affected device.
Apparently, Mozilla has already confirmed not only that the exploit had been patched in Firefox 24 for Android, which was released on September 17, but also the fact that it could not be leveraged by remote web page (but only by loading a local html file or application).
On the other hand, Sebastián claims to have already found means to achieve the exploit remotely. He plans on providing full details on his findings on the viaForensics blog.
Users who have already installed the latest version of the mobile browser should be protected against attacks trying to exploit this vulnerability.
Those who haven’t done so already can download Firefox for Android from Softpedia today to ensure that they are secure.
