Address bar spoofing in Firefox Lite for Android

…and the idiocy that followed

Date reported — 2019–08–29




Proof of concept (POC)

  1. Spawning a HTTP web-server with the attached payload i.e. spoof.html
  2. Loading the page e.g
  3. URL gets spoofed and shows contents of spoof.html while URL points at

Video demo —

Expected behavior

Reply from Mozilla

…11 months later

Frederik helped to re-initiate the staled report. This is what happened afterwards —

Thanks for the notification, — REDACTED — ! we’ll prioritize this issue in the sprint planning later today. — REDACTED —

Hi folks,
Per the given information and testing result, this issue is reproducible only on old webview versions (70).
Users has to update Chrome and Firefox Lite to latest version so that they get better security.
And then the coming tricky problem is we don’t have good position to prompt users to update their Chrome.
As we have very small user base hanging on that (or older) version so the impact is fairly limited.
That said, we don’t see immediate action to take on this issue.

Lingering the report for 11 months while the Google’s webview versions regularly updated; establishing low impact with a ridiculous reason.

It’s like saying — “Oh yeah, there’s RCE possible but we don’t use the software which has the bug you know, so the impact is fairly limited”.

I don’t think the reply needs any more explanation. I leave it up to you to judge the response. I’m not gonna do anything now. Let’s see what happens.

Peace out.

Originally published on Tinkering the kernel.

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store