A new security vulnerability, now tracked as CVE-2025-0245, was found in Mozilla’s privacy-first browser, *Firefox Focus*, affecting versions before 134. In this report, we break down how a missing authentication check allows anyone with brief access to your phone to bypass Focus’s protection—even if you’ve enabled the “require authentication before use” feature. We’ll keep things simple and show the nitty-gritty with real code and practical tips.
What’s Firefox Focus?
Firefox Focus is a browser from Mozilla aimed at privacy. One nice security setting: it lets users require authentication—like fingerprint or device PIN—before you can see open tabs or browsing history. That’s designed to shield your private life if you hand someone your phone.
Effect: Bypasses the authentication step, giving access to Focus contents
- CVE ID: CVE-2025-0245
Exploit Roots
With the vulnerable versions, an attacker can manipulate the app state—by making Focus use the wrong "activity" or by leveraging Android’s multitasking—so it skips the authentication screen altogether. This only works in certain weird flows, but is quite practical if the phone is left unlocked and you have just a few seconds.
The Bypass
1. Open Firefox Focus as usual. When you switch away from the app, it locks (with fingerprint or PIN).
What Should Happen
When Focus is set to require authentication, picking it via “Share” should *always* prompt for unlock before letting you view or open the browser.
What Actually Happens (On vulnerable versions)
> The link opens straight in Focus—no unlock, no dialog, nothing.
Now you can see browser’s contents, tabs, history; whatever was there before.
Technical Details
Under the hood, Focus’s authentication gate was only checked for certain “intents”—the standard app launch. Other Android intents, like those from the share sheet, slipped past the check. The fix involves making sure *every* entry point triggers authentication if required.
Sample Patch (pseudo-code)
// old MainActivity.kt (vulnerable)
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
if (userPrefersAuth && launchedFromLauncher()) {
promptForAuth()
}
// ... normal flow continues
}
// fixed MainActivity.kt
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Always check for authentication, regardless of launch source
if (userPrefersAuth) {
promptForAuth()
}
// ... normal flow continues
}
The fix landed in v134 (patch link to be updated when public).
Proof of Concept (PoC)
Below is a basic Python script using ADB to simulate sharing a URL into Focus:
import os
# Replace with the package name for Firefox Focus
FOCUS_PKG = "org.mozilla.focus"
# Simulated share intent
url = "https://example.com";
os.system(f'adb shell am start -a android.intent.action.VIEW -d "{url}" {FOCUS_PKG}')
Expected (vulnerable):
Focus opens, no PIN or fingerprint required—even if “require authentication” is ON.
Expected (fixed):
You must authenticate before Focus opens.
Real-World Threat
- Anyone with your unlocked phone and a few seconds (to share a link from another app) can snoop on your private Focus browsing.
Mitigations
- Upgrade: Update Firefox Focus ASAP to version 134 or later (Play Store Link)
- Temporary workaround: Don’t leave your device unlocked. Closing Focus manually via the Recents screen may help, but is not foolproof.
Links and References
- CVE-2025-0245 at NVD
- Mozilla Security Advisories
- Focus Source Code on GitHub
- Android Intent System Documentation
Conclusion
This case shows how even simple preferences—like “require authentication before use”—have to be checked on *all* app entry points. Otherwise, crafty users (or malicious folks) can sneak right past.
Always update your browsers. Always check your settings. And don’t hand an unlocked phone to someone you don’t trust.
*Want more technical writeups and step-by-step code about mobile security? Follow for more exclusives!*
Timeline
Published on: 01/07/2025 16:15:39 UTC
Last modified on: 01/08/2025 16:15:37 UTC