CVE-2022-22758 in Firefox
Summary
by MITRE • 12/22/2022
When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/14/2026
This vulnerability represents a sophisticated cross-site request forgery risk in Firefox for Android browsers where tel: links containing USSD codes could execute unauthorized actions on user accounts. The flaw occurs when a user clicks on a tel: link that includes a USSD code following a asterisk character, allowing malicious actors to craft links that could perform sensitive operations on behalf of the user. The vulnerability stems from improper handling of tel: URI schemes where the browser fails to properly sanitize or validate USSD code sequences before initiating dial operations, creating a dangerous intersection between web content and mobile carrier services.
The technical implementation of this vulnerability involves the browser's URI parsing mechanism failing to distinguish between legitimate phone number components and potentially malicious USSD commands. When a tel: link contains a USSD code such as 123# or #06#, the Firefox for Android browser incorrectly processes these sequences as part of the dialing operation rather than recognizing them as special carrier commands that should be handled with appropriate security considerations. This parsing error creates a pathway for attackers to exploit the phone's native dialer functionality through web-based interfaces, effectively bypassing traditional web security boundaries that typically protect against cross-site request forgery attacks.
The operational impact of this vulnerability extends beyond simple unauthorized charges or data access, as USSD codes can perform a wide range of account operations including balance inquiries, service activation, PIN changes, and even account termination. Mobile carriers often implement USSD commands as privileged interfaces that can execute sensitive operations without requiring authentication from the user, making this attack vector particularly dangerous. The vulnerability affects users across specific carrier networks and device configurations, with the attack surface limited to Firefox for Android but potentially affecting numerous mobile service providers that support USSD functionality.
This vulnerability aligns with CWE-74 and CWE-75, which address improper neutralization of special elements used in a command or injection attack, specifically targeting the improper handling of command sequences in mobile contexts. The flaw also demonstrates characteristics of ATT&CK technique T1566 which involves social engineering through phishing attacks, as users might encounter malicious tel: links in emails, websites, or social media messages. The attack requires no special privileges or advanced technical skills from the attacker, making it particularly dangerous as it leverages the trust users place in web content and the native phone functionality of their devices.
The recommended mitigations include immediate upgrade to Firefox version 97 or later where the vulnerability has been patched through enhanced URI parsing and validation mechanisms. Organizations should implement network-level monitoring to detect unusual dialing patterns that might indicate exploitation attempts, while users should exercise extreme caution when clicking on tel: links from untrusted sources. Mobile carriers can also implement additional protections by filtering or requiring authentication for USSD commands that are initiated through web-based interfaces, though this requires coordination between browser vendors and telecommunications providers to establish comprehensive security controls.