Hackers can exploit vulnerability in Firefox Find My Device tool to wipe and lock Firefox OS run smartphones, change PIN

Hackers can remotely wipe out data on smartphones running on Firefox OS. This was revealed by Egyptian security researcher Mohamed A. Baset who found out a vulnerability in Firefox Find My Device service.

The Find My Device service is offered by Apple and Google and allows the smartphone owners pinpoint the location of their device on map and to lock and lock their smartphones in case they are stolen. According to Baset, vulnerabilities in Mozilla’s Find My Device service enabled hackers to carry out attacks that locked the screens of smartphones running Firefox OS, change PINs, make the devices ring, and even wipe all data with only a few clicks.

The vulnerability is somewhat similar to a similar vulnerability Baset found last year in Samsung’s Find My Mobile service. In fact, this vulnerability seems to be a variation of CVE-2014-8346, a security vulnerability that affected the Samsung Find My Mobile service.

Baset told Softpedia that the National Institute of Standards and Technology assigned a CSVV (Common Vulnerability Scoring System) score of 7.8 on the scale of 10 where 10 being the most easy vulnerability which can without elaborate technical skills.

The hackers can exploit the vulnerability by loading the Firefox Find My Device website inside a hidden iframe on other sites, via basic clickjacking techniques.  A hacker would have been able to carry out CSRF attacks that would lock or unlock the phone’s screen, set a new PIN only known by the attacker, or make the phone ring at maximum volume for one minute, even if set in vibrate or silent mode.

Unlike the Samsung Find My Mobile vulnerability, the one affecting Firefox’s service also allowed attackers to wipe the phones clean, which poses more risk since valuable data can be lost if not properly backed up.

The only exception is that for this attack to succeed, the hacker needs to be logged in on the service with their Firefox account, which very few people use.

Baset said that he had reported the vulnerability Mozilla in March, and Mozilla has stated that it has patched the bug on 21st April 2015.

Below is a YouTube video of the Samsung Find My Mobile hack. The Mozilla Find My Device attack should work in a similar fashion.