Mozilla Foundation Security Advisory 2013-33

World read and write access to app_tmp directory on Android

Announced
April 2, 2013
Reporter
Shuichiro Suzuki
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 20

Description

Security researcher Shuichiro Suzuki of the Fourteenforty Research Institute reported the app_tmp directory is set to be world readable and writeable by Firefox for Android. This potentially allows for third party applications to replace or alter Firefox add-ons when downloaded because they are temporarily stored in the app_tmp directory before installation.

This vulnerability only affects Firefox for Android.

References