Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store.
ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android.
Discovered originally by Australian security researcher Chris Moberly, the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed.
SSDP, stands for Simple Service Discovery Protocol, is a UDP based protocol that is a part of UPnP for finding other devices on a network. In Android, Firefox periodically sends out SSDP discovery messages to other devices connected to the same network, looking for second-screen devices to cast.
Any device on the local network can respond to these broadcasts and provide a location to obtain detailed information on a UPnP device, after which, Firefox attempts to access that location, expecting to find an XML file conforming…