Mozilla Foundation Security Advisory 2014-24

Android Crash Reporter open to manipulation

Announced

March 18, 2014

Reporter

Roee Hay

Impact

Moderate

Products

Firefox

Fixed in

Firefox 28

Description

Firefox for Android includes a Crash Reporter which sends crash data to Mozilla for analysis. Security researcher Roee Hay reported that third party Android applications could launch the crash reporter with their own arguments. Normally applications cannot read the private files of another application, but this vulnerability allowed a malicious application to specify a local file in the Firefox profile and it to its own server leading to information disclosure. The crash reporter can also be invoked in a manner causing an immediate crash of Firefox, leading to a potential denial of service (DOS) attack.

References

Security vulnerability: CrashReporter Path Traversal (CVE-2014-1506)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-24

Android Crash Reporter open to manipulation

Description

References