CVE-2024-10004 Overview
CVE-2024-10004 is a user interface confusion vulnerability affecting Firefox for iOS that allows for incorrect HTTPS indicator display. When a user opens an external link to an HTTP website after Firefox iOS was previously closed with an HTTPS tab open, the browser may incorrectly display the padlock icon showing an HTTPS indicator. This misleading security indicator could trick users into believing they are on a secure connection when they are actually browsing over an unencrypted HTTP connection.
Critical Impact
This vulnerability enables attackers to potentially conduct man-in-the-middle attacks against Firefox iOS users who believe they are on a secure HTTPS connection, potentially exposing sensitive data transmitted over what users perceive as an encrypted channel.
Affected Products
- Mozilla Firefox for iOS versions prior to 131.2
- Firefox for iOS mobile browser application
- iOS devices running vulnerable Firefox versions
Discovery Timeline
- October 15, 2024 - CVE-2024-10004 published to NVD
- April 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-10004
Vulnerability Analysis
This vulnerability is classified under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), which relates to UI security indicator spoofing. The flaw exists in how Firefox for iOS manages the state of the address bar security indicator when the browser session is restored after being closed.
The vulnerability occurs specifically in the tab restoration workflow. When Firefox iOS is closed with an HTTPS tab active and the user subsequently opens an external HTTP link, the browser fails to properly update the padlock indicator in the address bar. This creates a dangerous condition where users are visually assured of a secure connection when data is actually being transmitted in plaintext.
The attack requires network positioning (such as a public Wi-Fi network) where an attacker can intercept unencrypted HTTP traffic. Users who trust the spoofed HTTPS indicator may enter credentials, financial information, or other sensitive data without realizing the connection is insecure.
Root Cause
The root cause stems from improper state management during Firefox iOS session restoration. When external links are opened via iOS URL schemes while the app is in a cold-start state, the browser incorrectly preserves the security indicator state from the previous HTTPS session rather than updating it to reflect the actual HTTP connection status of the newly loaded page.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond the initial link click. An attacker could exploit this vulnerability through the following scenario:
- The victim uses Firefox iOS to browse an HTTPS site
- The victim closes Firefox iOS (app termination)
- The attacker sends the victim a link to a malicious HTTP site (via email, SMS, or another messaging app)
- When the victim taps the external link, Firefox iOS opens to the HTTP site
- Due to the bug, the padlock indicator shows HTTPS even though the connection is HTTP
- The victim believes they are on a secure site and may enter sensitive information
- The attacker intercepts the unencrypted data via network-level attacks
The vulnerability mechanism relates to iOS app lifecycle management and how Firefox handles URL scheme invocations during cold starts. For detailed technical analysis, refer to the Mozilla Bug Report #1904885.
Detection Methods for CVE-2024-10004
Indicators of Compromise
- Users reporting HTTPS padlock visibility on known HTTP-only websites
- Network traffic analysis showing plaintext HTTP requests while Firefox displays secure indicators
- User complaints about inconsistent security indicator behavior after app cold-starts
- Suspicious external link activity targeting Firefox iOS users
Detection Strategies
- Monitor Mobile Device Management (MDM) solutions for Firefox iOS version inventory to identify unpatched devices
- Implement network monitoring to detect HTTP traffic to sensitive destinations where HTTPS would be expected
- Deploy endpoint detection solutions capable of identifying browser version discrepancies on mobile devices
- Analyze iOS app usage patterns for Firefox cold-start scenarios following external link invocations
Monitoring Recommendations
- Configure enterprise MDM solutions to alert on outdated Firefox iOS installations
- Monitor for security awareness reports from users regarding unusual browser behavior
- Implement network-level inspection for HTTP traffic to high-value destinations
- Enable logging for external URL scheme invocations on managed iOS devices
How to Mitigate CVE-2024-10004
Immediate Actions Required
- Update Firefox for iOS to version 131.2 or later immediately
- Advise users to manually verify URL schemes (http:// vs https://) in the address bar rather than relying solely on the padlock indicator
- Consider temporarily restricting external link handling in Firefox iOS on managed devices until patching is complete
- Educate users about the vulnerability and encourage heightened vigilance when following external links
Patch Information
Mozilla has released Firefox for iOS version 131.2 which addresses this security indicator spoofing vulnerability. The fix ensures that the padlock indicator correctly reflects the actual connection security state regardless of the browser's previous session state or cold-start conditions.
For complete details, refer to the Mozilla Security Advisory MFSA-2024-54.
Organizations should prioritize deploying this update through their mobile device management infrastructure. The update corrects the session restoration logic to properly reset the security indicator state when processing external URL invocations.
Workarounds
- Instruct users to manually verify the full URL in the address bar, confirming it begins with https:// before entering sensitive information
- Deploy network-level HTTPS enforcement using HSTS preload lists where possible to force HTTPS connections
- Configure managed browsers to use HTTPS-Only Mode if available in enterprise deployments
- Consider using alternative browsers on iOS until Firefox can be updated in environments where immediate patching is not feasible
# Example MDM command to check Firefox iOS version on managed devices
# Verify all devices are running Firefox iOS 131.2 or later
mdm-tool query-app-versions --app-bundle-id "org.mozilla.ios.Firefox" --minimum-version "131.2"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
