A Firefox for iOS/iPadOS vulnerability that I reported months ago ...

Erik van Straten /

npub1yzf…l3r7

2024-10-16 10:35:00

A Firefox for iOS/iPadOS vulnerability that I reported months ago (https://infosec.exchange/@ErikvanStraten/113181487823109378) has finally been fixed in v131.2.

A thank you to Mozilla for fixing it; CVE-2024-10004 (https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/) was assigned to this issue.

The vulnerability was that, under specific circumstances, Firefox would show a padlock without strikethrough for an http connection (see the images below).

To update Firefox for iOS/iPadOS, open https://apps.apple.com/app/firefox-private-safe-browser/id989804926; then double check that the Apple App Store app has opened, and that it is really the Firefox browser you're looking at (do not simply trust anyone, including me, who tells you to click on a link). Then tap the update button.

The update may also happen automatically, but that may take time.

npub1h74d7rkxxhpcr696e66xyfsuzmmdvzx6zu3ehnz28tnwgnrrmrtqy7z8hf (npub1h74…z8hf) npub1smvt66z9w0muq5pa0ws7qg3heg83eyhqj4qgx5m0kzh2l9k0nfzsem399s (npub1smv…399s)
#Firefox #iOSFirefox #CVE_2024_10004 #Vulnerability #Phishing

Author Public Key

npub1yzfshvmugq4nd4jhwve7hhwqzvvt7g9g23sharz5f5wdvg65r92qhql3r7

Seen on

wss://nostr.sprovoost.nl

Show more details

Published at

2024-10-16 10:35:00

Kind type

1 Short Text Note

Event JSON

{ "id": "da1b86341c71cf4fed8fcb18ad0df11901bb82affec4255e32dd128121db316e", "pubkey": "20930bb37c402b36d6577333ebddc01318bf20a854617e8c544d1cd623541954", "created_at": 1729074900, "kind": 1, "tags": [ [ "p", "bfaadf0ec635c381e8baceb462261c16f6d608da17239bcc4a3ae6e44c63d8d6", "wss://nostr.sprovoost.nl" ], [ "p", "86d8bd684573f7c0503d7ba1e02237ca0f1c92e0954083536fb0aeaf96cf9a45", "wss://nostr.sprovoost.nl" ], [ "p", "2474440ee66a2fd4567e44c31b46859f24abb35706d0382e76d7ee55c8ee1b6a", "wss://nostr.sprovoost.nl" ], [ "p", "c808cec8a154980550dc3162f3cb09190814a56bf2e59e8141e748b41ad2f9d3", "wss://nostr.sprovoost.nl" ], [ "t", "firefox" ], [ "t", "iosfirefox" ], [ "t", "cve_2024_10004" ], [ "t", "vulnerability" ], [ "t", "phishing" ], [ "proxy", "https://infosec.exchange/users/ErikvanStraten/statuses/113316652669640932", "activitypub" ] ], "content": "A Firefox for iOS/iPadOS vulnerability that I reported months ago (https://infosec.exchange/@ErikvanStraten/113181487823109378) has finally been fixed in v131.2.\n\nA thank you to Mozilla for fixing it; CVE-2024-10004 (https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/) was assigned to this issue.\n\nThe vulnerability was that, under specific circumstances, Firefox would show a padlock without strikethrough for an http connection (see the images below).\n\nTo update Firefox for iOS/iPadOS, open https://apps.apple.com/app/firefox-private-safe-browser/id989804926; then double check that the Apple App Store app has opened, and that it is really the Firefox browser you're looking at (do not simply trust anyone, including me, who tells you to click on a link). Then tap the update button.\n\nThe update may also happen automatically, but that may take time.\n\nnostr:npub1h74d7rkxxhpcr696e66xyfsuzmmdvzx6zu3ehnz28tnwgnrrmrtqy7z8hf nostr:npub1smvt66z9w0muq5pa0ws7qg3heg83eyhqj4qgx5m0kzh2l9k0nfzsem399s \n#Firefox #iOSFirefox #CVE_2024_10004 #Vulnerability #Phishing\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/113/316/580/373/038/754/original/e5cbe7a451a7a396.png\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/113/316/583/646/884/101/original/7ceb9eb63bc8efba.png", "sig": "6545b6e74651513da81013fa4b15af1658f13b0b44190a527ad419f5eadc93dd2632aefd3fa3c3146c9b45d66e8cd6b2f8dcec7de110eb1b0138462c58e9e418" }