Closed
Bug 789534
Opened 12 years ago
Closed 12 years ago
Firefox is requesting Superuser access when updating, trying to access /system/bin/sh
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 789964
People
(Reporter: blandead41, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:18.0) Gecko/18.0 Firefox/18.0 Build ID: 20120907030554 Steps to reproduce: I open firefox and upgrade when I get a notice that there is a new nightly version. Actual results: I select to download and install it, but the past 2 days it has requested Superuser permission. I denied Firefox the Superuser access because there should be no reason for it. I checked my Superuser log and it was trying to access /system/bin/sh. It still successfully upgraded even though I denied superuser access. I noticed it is also storing the phones IP address and hashValue (sha512) in plain text on the internal sdcard named updates.xml, this also doesn't seem safe. Passwords or hashes should be moved to a system folder so it can take advantage of Android's data encryption option, maybe that's a separate bug though. Expected results: Firefox should upgrade without needing and requesting Superuser access. Unless there is a specialized opt-in feature it should never request Superuser permissions. This automatically raises red flags for me in regards to security, and it's value to me as a safe browser would be lost.
This is by design behavior according to mfinkle
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•12 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #1) > This is by design behavior according to mfinkle Yes, it is, but if rooted users start feeling nervous about it, we should reconsider.
Comment 3•12 years ago
|
||
We can reconsider if it freaks people out, but I don't know why people are rooting their phones if they consider every root-using app to be a security risk. The reason we ask for root access is so we can use a streamlined update process instead of the cumbersome and annoying install wizard. It isn't anything nefarious, and it is by design. The root access is restricted to the separate updater process, so the browser is not affected.
I wouldn't be surprised to see most of the rooted users freak out, since firefox isn't a "root" app. I figured it wasn't something nefarious, but perhaps some application or trojan would be able to exploit it. Very unlikely, but I would still suggest to not use root access even on the updater. Couldn't the browser just automatically direct itself to the ftp server, download it, then have user install? Honestly, I don't really like the streamlined process in the first place as I still have to check "allow app from non marketplace" and then it auto-syncs my phone and all accounts. Which is nice to have firefox sync, but annoying with several gmail accounts. Background data is still active so couldn't you just sync the firefox account only?
Comment 5•12 years ago
|
||
Based on the discussion I'm going to un-hide this bug. We may or may not want to change it, but it's not an exploitable vulnerability.
Group: core-security
Comment 6•12 years ago
|
||
Is this not an exact dupe of bug 789964?
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Thank you guys, the past two updates hasn't been requesting the superuser access. The updater seems much smoother/quicker as well
Assignee | ||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•