Firefox for Android Automatic File Download to SD Card

Aleph Research Advisory

Identifier

CVE-2014-1515

Severity

High

Product

Firefox for Android

Vulnerable Version

Before 28.0.1

Technical Details

Any file which cannot be rendered by Firefox is automatically downloaded to the SD card (/mnt/sdcard/Download), a folder which can be read by a malicious application by acquiring the READ_EXTERNAL_STORAGE permission. Interestingly, this permission was not even enforced before Android 4.4. This allows a malicious application to extract non-renderable data such as the cookies database, once it has managed to derandomize the profile directory name.

Timeline

01-Mar-17
: Added as ALEPH-2014007.
25-Mar-14
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

Paper
Mozilla Foundation Security Advisory 2014-33