Firefox

7262 readers

49 users here now

A community for discussion about Mozilla Firefox.

founded 3 years ago

MODERATORS

Today, the team at v12 released a video showing a PoC of Universal Account Takeover affecting Firefox Focus of iOS version. (media.infosec.exchange)

submitted 3 days ago* (last edited 3 days ago) by AmmarSpaces@infosec.exchange to c/firefox@lemmy.world

10 comments fedilink hide all child comments

Today, the team at v12 released a video showing a PoC of Universal Account Takeover affecting Firefox Focus of iOS version.

The PoC were released because it is been almost a year the vuln reported, but it is not patched yet.

The video below is demonstration of the vulnerability. We can see that,your X, Google, Reddit, can be taken over only in one click of a link.

Vulnerability explanation and the partly PoC can be seen here:
https://github.com/v12-security/pocs/tree/main/firefox

@firefox

#cybersecurity #infosec #0day #firefox

you are viewing a single comment's thread
view the rest of the comments

[–] moonpiedumplings@programming.dev 21 points 3 days ago (1 children)

This is bad, but I don't really care.

On iOS, all browsers are forced to use the safari/webkit browser engine, which simply isn't as modern in terms of security as actual firefox. There is a reason this bug only affects firefox on iOS, and that's probably why.

Blame Apple. Not Mozilla.

[–] XLE@piefed.social 2 points 2 days ago

This is absolutely on Mozilla.

First and foremost, Mozilla knew the bug was present for 11 months and they failed to fix it. They should have pulled the plug on the app, plain and simple.

The linked document is explicit that it is most likely the way Firefox Focus is engineered that allows the exploit to occur.

And you said it yourself: every iOS browser is WebKit. But obviously only this one browser was coded poorly.