![]() Because its severity is now much lower with the CVE-2014-1515 fix, we were allowed by Mozilla to publicly disclose this vulnerability. Since the cache file path has no ‘.dmp’ substring, the computed extra file will be the same, and the target server URL will be parsed out of the cache file. StringBuilder salt = new StringBuilder(16) Īfter the cache has been prepared, the attacker can leak it by generating another Intent that targets the CrashReporter activity, with the minidump path parameter set to the cache file. String allowedChars = "abcdefghijklmnopqrstuvwxyz0123456789" Private static String saltProfileName(String name) The generation of the profile directory is done using the following code: View on-demand demo on how to pinpoint Vulnerabilities in Android applications ![]() Access to this directory should indeed be carefully scrutinized since it contains sensitive information, such as the user cookies, browsing history and cache. It provides another layer of defense, preventing unwanted access to this directory in case of Firefox exploitation. Randomizing the profile directory name is a good. Firefox Profile Directoriesįirefox for Android stores the personal data under the profile directory, located at /data/data//files/mozilla/.default. The full analysis can be found in our white paper. ![]() This blog post describes the vulnerabilities and attacks in an informal manner. We developed attacks that first try to determine the random Firefox profile directory name and then exfiltrate sensitive data, such as cookies and cached information, from the derandomized folder, breaking Android’s sandbox. We have recently discovered a series of vulnerabilities in Firefox for Android that allows a malicious application to leak sensitive information pertaining to the user profile.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |