Closed Bug 872480 Opened 12 years ago Closed 12 years ago

Automatic web android APK downloads compromises security

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
21 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 690252

People

(Reporter: dean_byerley, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Build ID: 20130511120803 Steps to reproduce: Use Firefox for android (version 20 onwards) on a (not-knowingly) compromised WiFi Network. The network proxy appeared to be adding scripts to targeted websites which would redirect the user to a new web page after a short pause which would automatically start downloading an Android APK file (with no user initiation of the download process). Actual results: These scripts caused Firefox, without user prompting or confirmation (i.e. other than entering a normal web address such as www.engadget.com) to have an android APK download initiated. The download name would often indicate that this was an update that the user should install (e.g. New_flash_update.apk), which users may then accidentally do (as you get an option when clicking on the file to allow "installation from unknown sources"). Expected results: A prompt should have appeared first on Firefox for android along the lines of "Download of blah_blah.apk requested by website. Do you wish to allow yes/no ?"
OS: Windows 7 → Android
Hardware: x86_64 → ARM
This sounds like a duplicate of bug 849630.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.