Multiple Vulnerabilities in Firefox for Android Leak Sensitive Information

The Android operating system has hardened its security with application Sandboxing features to ensure that no application can access sensitive information held by another without proper privileges.

Android applications communicate with each other through Intents and these intents can be abused by hackers to provide a channel for a malicious application to inject malicious data into a target, potentially vulnerable application.

Security Researchers at IBM have discovered multiple vulnerabilities in Firefox for Android platform that allow a malicious application to leak the sensitive information related to the user's profile.

Android's Firefox app stores the personal data at following location:

/data/data/org.mozilla.firefox/files/mozilla/<RANDOM-STRING>.default.

Where the random name for user's profile is used to prevent unwanted access to this directory in case of Firefox exploitation.

Researchers developed an exploit to brute-force the <RANDOM-STRING> Firefox profile directory name in a practical amount of time CVE-2014-1516) and successfully bypassed Android’s sandbox to obtain the sensitive data reside in that directory, including users' cookies, browsing history and cache information.

For successful exploitation, an attacker can create a specially crafted HTML file, that will force Firefox to load the files including inside the user profile directory using an Intent.

The JavaScript code in the HTML file will download any file under the user profile directory by creating an iframe, using the vulnerability dubbed as CVE-2014-1515 (explained below).

Downloaded files with the exploit code will be saved automatically to the SD card at location /mnt/sdcard/Download, that can be read by the attacker using any malicious Android app.

REPORTED VULNERABITIES
1.) Profile Directory Name Weak Randomization (CVE-2014-1516) - The Attacker who knows the seed of the Pseudo-Random Number Generator (PRNG) can easily predict its output and eventually the generated Firefox Profile name.

2.) Profile Directory Name Leaks to Android System Log (CVE-2014-1484) - Android operating system writes the randomly generated Firefox user's Profile Directory Name in the Android System Log (logcat) at various locations, that can be used to steal private information.

In Android version 4.0 and below, installed apps with READ_LOGS permission can easily read Android system logs to identify the name of the Firefox user profile folder.

3.) Automatic File Download to SD Card (CVE-2014-1515) - Firefox for Android will download any file automatically to the SD card, if not of any known extension. Malicious apps with READ_EXTERNAL_STORAGE permission can read files from the SD card to extract non-renderable data such as the cookies database.

4.) Crash Reporter File Manipulation (CVE-2014-1506) - In cases where the application crashes, Firefox sends the crash dumps located in /data/data/org.mozilla.firefox/files/mozilla/Crash Reports/pending on the device file system. Using the exploit, an attacker can manipulate the crash report file path to the Android Log file in order to steal it. Researchers have also explained second way to hack user data using this vulnerability.

RESEARCH PAPER:
Researchers have already reported these vulnerabilities to the Mozilla and three out of four are already been patched in the latest versions. Android users with Firefox installed in the device are advised to upgrade it to Mozilla Firefox 28.0 or later from the Google Play app store.