Firefox for Android
Before version 28.
The org.mozilla.gecko.CrashReporter class is a public activity. Its purpose is to send crash dumps to Mozilla when needed. The CrashReporter activity receives the dump file path as an input (an Intent extra parameter). When the activity is launched, its onCreate method is executed and the following actions take place:
If the user presses the Close or Restart buttons with the ‘Send report’ check-box enabled, the minidump alongside with other sensitive information is sent to the specified server by calling the sendReport method. It should be noted that if the user has also checked the Include the address check-box, then Android logs are sent as well.
One problem is that the CrashReporter activity consumes the minidump path from the input intent although it should be considered untrusted data since the activity is public as defined in the Android Manifest file. Therefore, a malicious application can control the source path of the moved minidump file and the deduced extra file.
Another issue is that attacker to control the destination server for the crash report.