Firefox for Android Profile Directory Name Leaks to Android System Log

Aleph Research Advisory

Identifier

CVE-2014-1484

Severity

Moderate

Product

Firefox for Android

Vulnerable Version

Firefox for Android before version 27

Mitigation

Apply patches

Technical Details

The random Profile Directory Name is written to the Android System Log (logcat) in various locations. For instance, upon Firefox launch, the following data is written:

D/GeckoProfile( 4766): Found profile dir: /data/data/.../files/mozilla/24pd90uh.default

In Android 4.0 and below, the Android log can easily be read by all applications including malicious ones by acquiring the READ_LOGS permission.

Timeline

01-Mar-17
: Added as ALEPH-2014005.
04-Feb-14
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

Paper
Bugzilla
Mozilla Foundation Security Advisory 2014-06