583961 - Invalid URL redirected to google! Allows google to index potentially sensitive internal information!!!

Status: VERIFIED DUPLICATE of bug 517736

(Firefox :: Address Bar, defect)

Description

[Dietmar May]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

If an invalid URL is typed in the address bar, the search is redirected to google. That's the WORST THING it could do! Suppose the URL has information about a company's internal network, including host names, port numbers, and even passwords! (OK, it's generally a bad idea to include a password in a URL, but ...) From behind a firewall, that information is protected. Even on the internet, the encrypted connection is negotiated before the parameter (eg. directory) information in the URL is passed to the server. But firefox bypasses that firewall protection, and SENDS PRIVATE INFORMATION STRAIGHT TO google, who is happy to then include that in public search results for the whole world!!!!!

IE 6 doesn't do that.

I've checked all the settings I can see, and can't find an option that resolves this. I believe there was an about:settings mode before, but that doesn't work. prefs.js doesn't seem to have a flag to change this behavior. And if it were (made) configurable, the default should NOT be to search from the address bar. There's a search toolbar for that!

This is the worst possible behavior, a major security hole, and enough of a flaw that I've just abandoned firefox as my corporate browser, have very reluctantly switched back to IE, and will be sending this to our IT department for review.

Reproducible: Always

Steps to Reproduce:
Type the specified URL (or any invalid text) into the address bar.
Actual Results:  
Firefox sends the URL straight to google, which reports:

Your search - Invalid URL not found https://abc.de.server.snooper.com:1234/abc/def/yakko?SNARF=GO - did not match any documents.

Suggestions:

    * Make sure all words are spelled correctly.
    * Try different keywords.
    * Try more general keywords.
    * Try fewer keywords.

Expected Results:  
HTTP Error 404 - URL not found; or some polite version, perhaps which pops up a search page that - WITHOUT SENDING ANYTHING TO GOOGLE - populates an edit field with the URL text and politely offers the user the opportunity to search, if they want.

Comment 1

[Matthias Versen [:Matti]]

This feature is very old and IE is doing the same with the default configuration.
(win7 and IE8)
http://support.mozilla.com/en-US/kb/Location+bar+search explains it for Firefox.
Why do you don't disable this feature if you don't like it ?

Comment 2

[Dietmar May]

Why does Firefox enable this feature by default? And why doesn't Firefox provide some mechanism other than about:config to change it?

This default behavior caused me to leak some sensitive internal corporate details to the planet's biggest search engine (the same folks who probably drove by your house in Germany and captured the mac address of your wireless router, along with a picture of your house, because they want to know everything that they can about you, so they can sell your profile). To me, it's an unacceptable risk to have invalid URLs forwarded to them by default. Maybe IE does this by default too; and maybe for 80% of the user base, it's not an issue. Maybe the corporate IT guys and gals in my company have already locked down IE so it doesn't behave like that. But I think Firefox is much better than IE. Now I'm afraid to use it at work.

I looked in all of the preferences for some security setting to turn this off. As far as I can see, such preference doesn't exist.

As for about:config, even though I knew this existed (at one time), I couldn't remember the URL. (Remembered it as about:settings, which is wrong - but why do I need to remember this syntax? why isn't there a link on the advanced preferences page?)

If Firefox would disable this by default and provide some user accessible switch to toggle it, I believe it would be a good option. Or, as I mentioned earlier, if it displayed a webpage that allowed the user to search if they wanted to ... perhaps it could be done with the keyword.URL setting.

Thank you for the link and the tip about disabling this feature.

Comment 3

[Matthias Versen [:Matti]]

>Allows google to index potentially sensitive internal information
Google can't index sensitive material just because of this feature.
Sensitive material would be protected by at least basic authentication.

The is the same stupid story as with the WLAN. It's funny that people are angry because someone (in this case google) stored information from an unprotected and unencrypted WLAN. 

The only thing that google can get are internal server names and document names.

PS: I don't like Google. I don't use gmail (only as backup), no google maps (openstreetmap is better).

Comment 4

[Dietmar May]

No, what google can get is username/passwords that are embedded in https URLs, and information about how an internal network may be structured. I think that's a serious security flaw.

Given that the duplicate bug is marked resolved won't fix, it seems that either the folks at Mozilla have absolutely no concern about their users' security, or they have no willingness to think through the issue and understand why it's a serious flaw, or they're simply unwilling to invest effort to fix security holes, preferring to create pretty toolbar backgrounds and other eyecandy instead of protecting their users. I hope none of those are the case.

In the meanwhile, NOW THAT I KNOW about the config setting the hard way, I've turned it off on my personal machine. For my corporate environment, I've just uninstalled Firefox, and have gone back to using Internet Explorer, as configured by my IT folks. And I really hate to have to do that.

Comment 5

[Shawn Wilsher :sdwilsh]

(In reply to comment #4)
> Given that the duplicate bug is marked resolved won't fix, it seems that either
> the folks at Mozilla have absolutely no concern about their users' security, or
> they have no willingness to think through the issue and understand why it's a
> serious flaw, or they're simply unwilling to invest effort to fix security
> holes, preferring to create pretty toolbar backgrounds and other eyecandy
> instead of protecting their users. I hope none of those are the case.
...or they have a different perspective on how serious the "flaw" is...

Comment 6

[Robin Whittle]

This is a serious flaw: The default behavior is sending accidentally pasted text to any external site. It is common to make mistakes about what is in the clipboard. I have sensitive text X in the clipboard, such as a complete personal email, perhaps from half an hour ago, and I think I have copied text Y (a URL) to the clipboard, but for some reason this copy operation did not occur.  I paste to the address bar of Firefox and hit enter immediately - something I do dozens of times a day - and text X is sent to an external site.

If someone doesn't think this is a serious flaw, then what else would they need to be convinced of?

To make it worse, there is no normal UI method of disabling this behavior.

See my Bug 1346505 for how disabling this behavior with "about:config keyword.enabled = false" does not work if the text in the address bar contains, for instance, "google", even though Google is not in my list of search engine providers.

Comment 7

[Marco Bonardo [:mak] (Away Apr 25 - May 5)]

Sorry, but the fact you found an implementation bug, is not a good enough reason to comment in a 7 years old closed bug.

Comment 8

[Robin Whittle]

But not so sorry that you would refrain from posting to the same bug.  You don't cite any external references or guidance on when it is appropriate or not to post to an old bug.

Dietmar May went to a lot of trouble to argue why this export of arbitrary, potentially highly sensitive, information to search engines is a serious matter.  The replies here do not engage his arguments regarding potential seriousness, the default setting being to cause this behavior and the lack of a normal UI option to turn it off.  My guess is that those who think it is an acceptable trade-off are trying to make Firefox full of superficially impressive features, but which in this case are so badly thought out as to sometimes export private data to search engines.

Search engines sometimes publish or privately sell search term data, or at least make it available to advertisers.  Search engines typically use search terms to create real-time search suggestions.  So let's say person A writes an email to person B stating that person C is a terrorist or characterizes them in some vile way.  Or perhaps they mention person B's phone number, or mention their name close to the name of person D.  For one reason or another, B copies the text into clipboard.  Some time later, they copy a URL from a website and paste it into their Firefox address bar, hitting Enter a fraction of a second later, since they do this many times a day.  However, for some reason (such as the focus not being on the window with the selected URL, and actually being on a window where nothing is selected), the intended copy action does not take place, so the entire private email is in their clipboard, and is sent to the search engine.

Subsequently, when persons E to Z are typing in the name of person C into same search engine, the search suggestions include the accusation, C's phone number and/or the name of person D.

That's bad enough.  Then if any of these E to Z people actually follow these suggestions and perform searches with them, then the search term system is further polluted with these unintended associations, which were only ever made in A's private text, which might have been an email to B, or might have been something they wrote for their own eyes only.  Also, persons searching for D may find C in their search suggestions.  Furthermore, the appearance of surprising search suggestions in response to a person's name could trigger a storm of amplification on social media, where there are no limits to how big the amplification could grow, and where common sense and decency cannot be replied upon to quell its spread.

A would typically be unaware that all this has occurred.  C and D might become aware of it, or have their job prospects harmed without knowing at all what has occurred.

Microsoft and other non OSS companies frequently fudge important distinctions, such as between the function of an address bar and the function of a text window to send search terms to a search engine.  Google does it with their search page if you use it with Chrome - the user's text goes straight into the address bar, which then functions as a search engine text box.  I guess many people think this is a cool convenience: type search terms in the address bar rather than open a specific search page.  

Maybe many Firefox users think it is a cool thing to do the same.  Few would anticipate the feature could ensnare them like A, C and D in my example.  I regard it as the responsibility of OSS programmers to think about these unintended consequences and write programs which do not, by default, enable such things to happen.

Those who disagree with Dietmar's or my position on this default behavior evidently think very differently.  However, no such arguments have been made above and no references have been given to any arguments elsewhere about why Firefox should prioritize shallow (I think) concepts of convenience and user impressions of coolness over preventing potentially serious breaches of privacy and security.

I mentioned my support for Dietmar's position here because I cited this bug in my new bug 1346505, and did not want to go through all the arguments about why this unauthorized export of user data is a serious matter. 

The fact that the bug is 7 years old makes no difference to me.  Just because something is old doesn't mean it is correct, or that the matter has been properly discussed.