Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device, after which, Firefox attempts to access that location, expecting to find an XML file conforming to the UPnP specifications.According to the vulnerability report Moberly submitted to the Firefox team, the SSDP engine of the victims’ Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.
For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox—without requiring any interaction from the victims.
Bitdefender–the tireless actuary of the Internet of Things–were able to crack into homeowner’s personal WiFi networks via Amazon’s Ring doorbells, the video-enabled auto-locks that allow homeowners to remotely open the door.Balan told us that the vulnerability was discovered following a request from PCMag to look into the device and that it’s now been patched.
Activities allowed by the intent also includes automatically launching the browser and open any defined URL, which, according to the researchers, is sufficient to trick victims into providing their credentials, install malicious apps, and other malicious activities based on the surrounding scenarios.
“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control,” Moberly said.
“it could have been used in a way similar to phishing attacks where a malicious site is forced onto the target without their knowledge in the hopes they would enter some sensitive info or agree to install a malicious application.”
Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.Moberly has also released a proof-of-concept exploit to the public that Stefanko used to demonstrate the issue in the above video against three devices connected to the same network.