Mozilla Foundation Security Advisory 2014-33

File: protocol links downloaded to SD card by default

Announced

March 25, 2014

Reporter

Roee Hay

Impact

High

Products

Firefox

Fixed in

Firefox 28.0.1

Description

Security researcher Roee Hay reported that a hyperlink using the file: protocol on Firefox for Android could link to a local file in the Firefox profile directory. If a user selected this link on their device, the linked file would be copied to the SD card without prompting. This SD card location is world readable leading to a potential information disclosure of files in the Firefox profile through a malicious application.

References

Do not handle file: paths by downloading them (CVE-2014-1515)

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog