Mozilla Firefox is one of the browsers most used by users. This means that when a problem, a failure or vulnerability arises, many can be affected. In this article we echo an error that affects the browser in the Android operating system. This flaw would allow an attacker within the same Wi-Fi network to exploit devices.
A bug in Firefox allows exploiting devices on the same network
This error specifically affects the SSDP engine of the Firefox browser. It could allow a hypothetical attacker to exploit Android devices that are connected to the same network as long as they have this browser installed. Also, it should be noted that this could occur without user interaction, which adds further danger.
SSDP is a text-based protocol used to communicate with devices within the same network. An attacker could use this vulnerability to contact that computer with Android and Firefox installed to carry out his attack.
As we have mentioned, something that stands out about this bug is that it does not require user interaction . Nor is it necessary for the attacker to install some kind of malicious software on the victim’s computer. It is simply required that the device has Mozilla Firefox installed as a browser and uses the Android operating system.
What the vulnerable version of Firefox does is periodically send SSDP discovery messages via UDP multicast on the same network to search for available devices for transmission. Any device that is connected to the same network responds to the broadcast message and provides a location to get detailed information about the UPnP device.
The Firefox browser tries to access the XML file to confirm the UPnP specifications, where the vulnerability comes into play. Instead of providing the location of an XML file, an attacker could run a malicious SSDP server. It could perform unauthorized functions on that device.
Fixed with the new version
It should be noted that this flaw was discovered by security researcher Chris Moberly in the Android version of Firefox 79. He quickly reported it to Mozilla and they acted accordingly to correct the problem. Users who have the latest updated version could not be victims of this failure.
Once again the importance of always keeping our equipment updated with the latest versions is demonstrated. It does not matter the operating system we are using, the program or the equipment. We must always have the latest patches and updated software to correct possible vulnerabilities that may exist.
We must also note that this bug is only present in the mobile version of Mozilla Firefox. Therefore, it does not affect desktop computers and other operating systems. Users are required to upgrade to Firefox 80.1.3 if they have an older version to avoid this problem.
We leave you an article where we talk about the security risks of mobile applications. A review of the problems that may arise.
