Written by Christian Angel
Discovered by Australian security researcher Chris Moberly, the SSDP engine in Firefox for Android (68.11.0 and below) can be tricked into triggering Android intent URIs with zero user interaction. This attack allows hackers on the same Wi-Fi network to launch apps without the users’ permission and gain access to data.
Instead of providing the location of an XML file describing a UPnP device, an attacker can run a malicious SSDP server that responds with a specially crafted message pointing to an Android intent URI. Then, that intent will be invoked by the Firefox application itself.
According to the developer site for Android, Intent URIs are messages, which request actions from another app component while Intents can be used to download files, send messages, or take pictures.
The researcher said, “The victim simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required.”
Moberly worked with Mozilla on this issue, fixing the vulnerability with the updated Firefox version.
Please update immediately. Versions below Firefox version 79 on mobile are vulnerable for being exploited.