Mozilla Foundation Security Advisory 2016-41
Content provider permission bypass allows malicious application to access data
- Announced
- April 26, 2016
- Reporter
- Ken Okuyama
- Impact
- Moderate
- Products
- Firefox
- Fixed in
-
- Firefox 46
Description
Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android.
This issue only affects Firefox for Android. Other versions and operating systems are unaffected.