Date reported — 2019-08-29
Firefox Lite 1.9.2 for Android and earlier suffer from exhaustive Address Bar Spoofing, allowing attackers to potentially trick a victim into visiting a malicious domain for legitimate domain name. Firefox Lite is almost installed on more than 10M devices.
URL Address Bar spoofing is the worst kind of phishing attack possible because it's the only way to identify the site which the user is visiting for a non-technical user. URL address bar is the only way to trust a website and if this indicator is hijacked, the whole security of any normal user will be compromised.
setInterval() function which executes
pwn() function which ultimately reloads target URL in every 10ms.
Proof of concept (POC)
- Opening Firefox Lite; Latest version i.e.1.9.1 (13361)
- Spawning a HTTP web-server with the attached payload i.e.
- Loading the page e.g http://10.10.10.10/spoof.html
- URL gets spoofed and shows contents of
spoof.htmlwhile URL points at https://www.mozilla.org/en-US/
Video demo — https://youtu.be/wzpteHxAQSw
The browser should successfully redirect to the target website.
Reply from Mozilla
Quickly acknowledging, validating, and resolving submitted issues while recognizing the researcher's effort is vital for successful vulnerability coordination, but the report didn't got any attention after initial triage and half-hearted discussion.
...11 months later
I got fed up after waiting for months, eleven months to be exact. I emailed firstname.lastname@example.org asking them to look at the stale bug report.