Flaws Found in Firefox FindMyDevice Service

Friday, October 23, 2015 @ 05:10 PM gHale

Mozilla’s Find My Device service flaws can allow for attacks that can lock smartphone screens running Firefox OS.

In addition, attackers could end up changing PINs, make the devices ring, and even wipe all data with only a few clicks.

LTE 4G Threats Plague Android Users
Apple App Store Tightens Security
Siri as an Attack Vector
Mobile Malware Growing on Windows Devices

The Firefox Find My Device service allows users who’ve lost their Firefox OS phone to lock it or see its location on a map and retrieve it or direct law enforcement to the thief’s location. The service is extremely usable and is a similar feature to what Apple has been offering for years for iPhone users.

Egyptian security researcher Mohamed A. Baset found the flaw, which is a variation of a security vulnerability that affected the Samsung Find My Mobile service.

For that vulnerability, also revealed by Baset, the National Institute of Standards and Technology gave a CSVV (Common Vulnerability Scoring System) score of 7.8 out of 10, but got a 10 for exploitability.

By loading the Firefox Find My Device website inside a hidden iframe on other sites, via basic clickjacking techniques, a hacker could carry out attacks that would lock or unlock the phone’s screen, set a new PIN only known by the attacker, or make the phone ring at maximum volume for one minute, even if set in vibrate or silent mode, Baset said.

These actions could allow criminals who stole phones to craft a Web interface through which they could unlock PIN-protected phones.

Unlike the Samsung Find My Mobile vulnerability, the one affecting Firefox’s service also allowed attackers to wipe the phones clean, which poses more risk since valuable data can be lost if not properly backed up.

For this attack to work, users to end up logged in on the service with their Firefox account, which very few people use. Additionally, more clicks must take place to perform the attacks, ranging from 2 to 4, based on the desired malicious action.

Researchers reported the vulnerability to Mozilla back in March, and they patched it this week.