A cunning man can ignore any cookie from a Firefox device using Android by asking the user to view a specially created HTML file.
For example, Pedro Oliveira, a researcher at Infosec, discovered a vulnerability in the way Firefox processes local files through URI content://, allowing it to remotely copy all cookies stored on the device, giving it access to a proper evaluation of the sites visited by the user of the device.
While the bug has been fixed in the latest versions of Firefox for Android, the inclusion of the Oliveira in the volcano – and the speed at which Mozilla fixed it, he says in his report – reveals an obscure but easily exploitable vulnerability, as he puts it.
The exploit worked by convincing the user to visit a specific HTML file. The malicious file opened an iframe called content:// URI for the Firefox profiles.ini file, which contains Firefox user profile information and cookies. Since Firefox was processing these URIs, Oliveira was able to get a copy of a local file that the attacker was not allowed to access remotely via a web page.
While the blog post referred to profile.ini, the Oliveira vulnerability report submitted to Mozilla expanded the exploit to extract the cookies associated with the profile.
Firefox Update: Mozilla is currently repairing three holes that need to be made and a lot of other errors.
Using the URI:// content to access local files on the device, the researcher noticed that the browser sends them to the URI:// file, indicating that a copy of the requested resource is stored in the private directory of the cache before it is downloaded.
This content:// The URI requires read and write permissions to access other applications, Oliveira said in the section of the registry. When a URI is shared by multiple applications (e.g. sharing a c), the original application must give permission to use that URI before it is made available. This URI contains rights when shared with a receiving application, and only has access to that application. However, if an application processes the URI itself (and not by other applications), these rights do not apply, so that the application can freely access its content.
Every file downloaded with Firefox versions up to 68.10.1 is treated this way, Oliveira is found.
He was going to explain: Since the [malicious] file we downloaded and the file downloaded by the exploit have the same name, it will be replaced in the home directory. We have now opened a malicious file in the cache, but the source file has been replaced by another file. After downloading an iframe, the cached malicious file sends its own content to the malicious website. Since the road is the same as the origin, this is also the case without coercive [political] measures.
A comment was requested from Mozilla, although Firefox was already updated to version 68.10.1 in July to repair the volcano. Over the years, the open source browser has played its part in the number of public messages, including a vaguely similar bug in the implementation of remote code in 2018, which also worked by deceiving users into accessing a malicious web page. ®