The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device). To better understand how this bug could be weaponized, imagine a scenario where a hacker walks into an airport or mall, connects to the Wi-Fi network, and then launches a script on their laptop that spams the network with malformed SSDP packets. Another scenario is if an attacker targets vulnerable Wi-Fi routers. Attackers could leverage exploits to take over outdated routers, and then spam a company's internal network and force employees to re-authenticate on phishing pages. |
Moberly said he reported the bug to Mozilla earlier this summer. The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted. Reached for comment, a Mozilla spokesperson recommended that users upgrade to the latest version of Firefox for Android to be safe. |