Mozilla Foundation Security Advisory 2016-41

Content provider permission bypass allows malicious application to access data

Announced
April 26, 2016
Reporter
Ken Okuyama
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 46

Description

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android.

This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

References