Closed Bug 1932675 Opened 6 months ago Closed 6 months ago

The current build of Firefox for Android contains an exploit when accessing passwords.

Categories

(Firefox for Android :: Logins, defect)

Product:
Firefox for Android
Component:
Logins
Version:
Firefox 132
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1928779

People

(Reporter: angelo.c.skrodzki, Unassigned)

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (Android 14; Mobile; rv:132.0) Gecko/132.0 Firefox/132.0

Steps to reproduce:

When looking up my passwords via the current Android Firefox browser, I received the expected pin to view my passwords. When I failed to type in my pin three times or when I cancelled typing in my pin three times, I was able to bypass the need for a pin and view all of my passwords.

In other words, when looking to access my passwords via the built-in setting on the Firefox Android Browser, I did not receive a secure password validation step. It is currently able to be bypassed by skipping the pin process. While the first three pins provide an error when the pin is mistyped, it doesn't matter since the security feature of the pin is not actually functioning. I attempted this on a fully updated Samsung Galaxy S22+ (still currently supported by the manufacturer software lifecycle).

Actual results:

Did not receive a secure pin process when accessing passwords on my Android Firefox browser. The password settings are able to be bypassed simply by ignoring the pin prompt. Thus, all of my passcodes are unsecured if my device were to be accessed by a threat actor - the impact is to all potential devices and users. Regardless that this impact can be alleviated by having a device pin, anyone with cross site scripting can hijack the browser's security if they were able to prompt for a password and write a query to do so, or worse. If they have remote access of the device and screen, they can still bypass the device pin and directly exploit the browser without much known skills. If malware was installed, there isn't a secure safety measure to prevent this exploit. Treat as a critical vulnerability.

Expected results:

My passwords should not have been visible when bypassing the pin.

Additional information about my browser.

132.0.2 (Build #2016055415), hg-21a81a27f177+
GV: 132.0.2-20241110192737
AS: 132.0.1

2024-11-10T22:06:57.242269559

Thank you for the report. This has been reported previously, and a fix is under way in bug 1928779.

Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Component: General → Logins
Duplicate of bug: CVE-2024-11703
Resolution: --- → DUPLICATE

The linked bug appears to be connected to a beta fix, I am using a public release build version which is different.

Yes. Release will be updated to Firefox 133 in 5 days, and that will contain the fix.

Group: mobile-core-security → core-security-release

Thanks for the heads up! I'll be on the lookout for more. Take care.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.