1330274 – (CVE-2016-2810) CVE-2016-2810 Mozilla: Content provider permission bypass allows malicious application to access data (MFSA 2016-41)

Bug 1330274 (CVE-2016-2810) - CVE-2016-2810 Mozilla: Content provider permission bypass allows malicious application to access data (MFSA 2016-41)

Summary: CVE-2016-2810 Mozilla: Content provider permission bypass allows malicious ap...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-2810
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1306172
TreeView+	depends on / blocked

Reported:	2016-04-25 18:49 UTC by Siddharth Sharma
Modified:	2021-02-17 03:58 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-09 04:49:24 UTC
Embargoed:

Attachments	(Terms of Use)

Description Siddharth Sharma 2016-04-25 18:49:37 UTC

Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android.

This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

External Reference:

https://www.mozilla.org/security/announce/2016/mfsa2016-41.html

Comment 1 Siddharth Sharma 2016-04-25 18:49:44 UTC

Acknowledgments:

Name: the Mozilla project
Upstream: Ken Okuyama

Note You need to log in before you can comment on or make changes to this bug.