Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.
The vulnerability results from improper validation of redirects (CWE-601 — open redirect) in the handling of FIDO: schemes in the Firefox for iOS application. A malicious website could inject a FIDO: link and instruct the operating system to launch hybrid passkey transport based on Bluetooth. An attacker within Bluetooth range of the victim could impersonate a legitimate target device, thereby causing the user to authorize the attacker's session instead of their own.
The attacker can take full control of the victim's account on the target service, because the user unknowingly authenticates the attacker's login session using their own passkey. This results in a breach of confidentiality and integrity of the protected account.
Firefox for iOS should be immediately updated to version 142 or later, and Firefox Focus for iOS should be updated to version 142 or later. Updates are available through the Apple App Store. Until the update is applied, avoid visiting untrusted websites in environments with Bluetooth enabled.
Firefox for iOS in versions prior to 142 and Firefox Focus for iOS in versions prior to 142.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 142.0Mozilla Firefox Focus
APPMozilla< 142.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...