Third-party snooping can be terribly dangerous. Recently, the Mozilla Foundation found five high-risk bugs on the Firefox Web Browser that opened iPhone Airpods to third-party snooping and collection of data by unknown sources. This comes as a surprise as Mozilla Firefox Browser is a trusted and reliable browser used by software firms and multi-national companies.
This bug in question apparently allowed hackers to target iPhone users without their knowledge, switch on their iPods and collect data from it. This has serious implications after major tech giants from the US have come under scrutiny for data privacy and data breach policies.
Exploiting vulnerability
Mozilla Foundation has reported that the bug hasn’t been exploited to a harmful degree yet and that led to an immediate bug-fix update with Firefox 74, build 68.
In response to this, the Mozilla Foundation released 12 bug patches. Out of these twelve, six were rated as moderate severity and one was rated as a low-severity bug.
The patches also addressed serious flaws that varied from two memory out-of-bounds issues to two use-after-free bugs.
A senior technical product manager from a patch-management firm hired by Mozilla stated that the bug was a novel and interesting way of exploiting iPhone Airpod users. The bug apparently made the device vulnerable by allowing a website with a camera or mic access to retrieve information on the users using the Airpods.
For example; When a user connects their Airpods to their iPhone for the first time they automatically connect by the default name on the iPhone. This allows websites with a camera or mic access to readily be able to identify the user’s names and identity.
The Mozilla Foundation said on related to the issue that this is a special case, with the bug. As it renames the device containing the substring of AirPods. This fix was credited to Jan-Ivar Bruaroney who found the iPhone-related vulnerability.
Some other high-level severity bugs were also found to be endangering the memory system, leading to memory corruption and escalation of the victim’s endpoint privileges. These safety script bugs can be identified as CVE-2020-6805, CVE-2020-6807, CVE-2020-6814, and CVE-2020-6815.
One interesting bug named CVE-2020-6810 was rated as medium severity but as the spokesperson said it can be used to track the users through malicious websites that trick the users to open illegal and dangerous pop-ups that can mimic the browser and take it to fullscreen mode. This vulnerability makes it open to becoming a gateway for any cyber attacker to wear a sort of mask that can hide the notifications and make it invisible to the user.
Melick, a senior technical officer identified another bug CVE-2020-6812 as a Firefox flaw that had a high-level security issue. It affects iPhone users in a unique way, that exploits the vulnerable points of the systems and can cause serious damage by enabling the camera and microphone to gather information.
With this, the Firefox browser also released a new corporate version that enables users to do more with the Firefox system. However, it had some high-severity bugs and three medium severity bug patches.