CVE-2021-29973
📋 TL;DR
Firefox for Android versions before 90 automatically filled saved passwords on insecure (non-HTTPS) websites without requiring user interaction. This allowed attackers to steal credentials by tricking users into visiting malicious sites. Only Firefox for Android users were affected.
💻 Affected Systems
- Firefox for Android
📦 What is this software?
Firefox by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal saved passwords for banking, email, and other sensitive accounts by luring users to malicious sites.
Likely Case
Credential theft from phishing sites or compromised legitimate sites using HTTP.
If Mitigated
No impact if users avoid untrusted sites or have updated browsers.
🎯 Exploit Status
Exploitation requires user to visit attacker-controlled site but no technical barriers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firefox for Android 90 and later
Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-28/
Restart Required: Yes
Instructions:
1. Open Google Play Store. 2. Search for Firefox. 3. Tap Update. 4. Restart Firefox after update.
🔧 Temporary Workarounds
Disable password autofill
androidTurn off password saving and autofill in Firefox settings
Use HTTPS-only mode
androidEnable HTTPS-only mode in Firefox settings to block HTTP connections
🧯 If You Can't Patch
- Avoid using Firefox for Android on untrusted networks
- Manually enter passwords instead of using autofill
🔍 How to Verify
Check if Vulnerable:
Check Firefox version in Settings > About Firefox. If version is below 90, system is vulnerable.Check Version:
Not applicable for Android GUIVerify Fix Applied:
Confirm Firefox version is 90 or higher in Settings > About Firefox.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP site visits followed by password field interactions
Network Indicators:
- HTTP requests to unfamiliar domains with password parameters
SIEM Query:
Not typically applicable for mobile browser vulnerabilities