File: protocol links downloaded to SD card by default
- March 25, 2014
- Roee Hay
- Fixed in
- Firefox 28.0.1
Security researcher Roee Hay reported that a hyperlink using
file: protocol on Firefox for Android could link to a local
file in the Firefox profile directory. If a user selected this link on their
device, the linked file would be copied to the SD card without prompting.
This SD card location is world readable leading to a potential information
disclosure of files in the Firefox profile through a malicious application.