I demonstrated a bug in Firefox for Android reported in 2019 that lets device camera and microphone active even though the app is not used (in the background) or device is locked.
In my test, when I killed running Firefox, the stream was disconnected after 4 minutes and even survived locked screen. After killing the app it was lagging but still streaming without user knowledge.
This bug can't be misused remotely however, in the hypothetical attack scenario it could be used as Stalkerware/Spouseware since, physical access to device is necessary.
Original bug report: bugzilla.mozilla.org/show_bug...
ZDNet: www.zdnet.com/article/firefox...
(0:00): Firefox Android issue
(1:15): Vulnerability demo
(3:51): Impact
(4:30): Tips
#Android #Firefox #BugBounty
1 авг 2024