CVE CyberSecurity Database News

CVE-2025-0244 - Firefox Android Address Bar Spoof via Invalid Protocol Redirection

Poster -

A critical security vulnerability (CVE-2025-0244) has been discovered in Firefox for Android, before version 134, allowing attackers to spoof the address bar by abusing how the browser handles invalid protocol schemes during redirects. While desktop users are safe, Android users need to be aware of this risk and update their browsers. In this post, we’ll break down what the flaw is, how it works, see simple code snippets, and how attackers might exploit it.

What is CVE-2025-0244?

CVE-2025-0244 is a vulnerability allowing an attacker to redirect a user to a URL crafted with an invalid protocol. After this redirect, Firefox for Android fails to update the address bar correctly; it keeps displaying the initial (safe-looking) URL, while the browser has loaded attacker-controlled web content. This tricks users into thinking they’re on a legitimate site even though they’re not.

Note: This only affects Android devices. Windows, Mac, Linux, and iOS devices are not affected.

Victim visits a legitimate URL.

2. That page redirects to a specially crafted URL using an invalid protocol (e.g., fake://evil.com).
3. Firefox Android fails to change the address bar. It still shows the original safe-looking address.
4. Attacker’s content is loaded. The user now sees fake (potentially phishing) content that appears to be from the original site.

Here’s a simple snippet of code demonstrating the exploit logic

<!-- attacker.html -->
<script>
  // Immediately redirect the user to an invalid protocol
  window.location = "fake://evil.com";
</script>

Or, using HTTP redirect headers

HTTP/1.1 302 Found
Location: fake://evil.com

When this loads in vulnerable Firefox Android (<134), the address bar remains on https://legitimate-site.com/attacker.html, while the content from evil.com or a blank screen is shown, allowing phishing messages or fake login forms to appear.

Phishing Example

1. An attacker sends a phishing SMS with a link to https://legitbank.com.security-checkers[.]com/.
2. That page instantly redirects to an invalid protocol: fakescheme://phishingsite.com/.
3. The victim’s Firefox for Android keeps showing legitbank.com in the address bar, while presenting a fake bank login page.

Mitigation

Solution: Upgrade to Firefox for Android version 134 or later.

- Download the latest version from the Google Play Store.
- Or see official update notes at: Firefox Release Notes

References

- Security Advisory (Mozilla) - 2025-0244
- CVE Details - CVE-2025-0244
- Official Bugzilla Issue *(example link)*

Conclusion

CVE-2025-0244 is a serious exploit affecting Firefox for Android users. If you use Firefox on your phone and haven’t updated, now is the time. Always check you’re on the latest version, and be wary of links that unexpectedly redirect or ask for sensitive information—even if the address bar looks safe.

Timeline

Published on: 01/07/2025 16:15:39 UTC
Last modified on: 01/08/2025 16:15:37 UTC