The exploit in question was discovered within the SSDP engine for Firefox on Android, and the version is 68.11.0 and below. What is interesting about the exploit is that a hacker can trigger the engine in the app, without any interaction from a phone’s user.
— Cybercat 2077 (@0xCats) September 22, 2020 In fact, all the victim needs to do is to have the FireFox app running on their phone; to be absolutely clear, they do not need to have accessed a malicious website or clicked on a malicious link. They can simply be doing something completely innocent or ordinary, and the attacker will still be able to affect their phones with the exploit. The end result, as demonstrated by the research is quite hilarious, as he proceeded to play a video loop that he had circulated across several Android devices via the Firefox bug, including a fitness tracker that he was wearing at the time.
The good news is the issue is easily fixed; if you do encounter it on the Firefox app, all you need to do is contact Mozilla directly, and the app’s team will help you with the issue. On a related note, if your Firefox is app on Android is version 79 or later, you should be safe as Mozilla would have already fixed the bug. (Source: GitLab via Twitter)
