Mozilla

mozilla

Mozilla Foundation Security Advisory 2014-33

File: protocol links downloaded to SD card by default

Announced
March 25, 2014
Reporter
Roee Hay
Impact
High
Products
Firefox
Fixed in
  • Firefox 28.0.1

Description

Security researcher Roee Hay reported that a hyperlink using the file: protocol on Firefox for Android could link to a local file in the Firefox profile directory. If a user selected this link on their device, the linked file would be copied to the SD card without prompting. This SD card location is world readable leading to a potential information disclosure of files in the Firefox profile through a malicious application.

References