Mozilla has patched a security flaw that could allow cybercriminals to hijack all vulnerable Firefox for Android browsers running on devices connected to the same Wi-Fi network. The vulnerability could be abused to force users to visit websites housing malicious content, which could then be used to execute phishing attacks or to download malware to their devices.
The vulnerability was discovered by Australian security researcher Chris Moberly, who said, “The victim simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required.” Moberly worked with Mozilla to fix the vulnerability with the updated Firefox version.
Eugene Kolodenker, Senior Security Researcher, Apps Research Team at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, "This is a disturbing vulnerability that’s able to be exploited in coffee shops, airports, or any other public networks. The attack can be used to perform network wide phishing attacks, prompting users with a popup asking for sensitive information. Further, it can be used as a starting point for full remote device compromise. To make matters worse, the vulnerability can be executed over and over, preventing the user from using their device, until they agree to a malicious user’s demands, or disconnect from the Wi-Fi network."