Closed Bug 1010080 Opened 7 years ago Closed 4 years ago

Adware add-on searchme 2.0 can cause an infinite stack recursion during startup

Categories

(Toolkit :: Blocklist Policy Requests, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: ehsan.akhgari, Unassigned)

Details

Attachments

(2 files)

19.97 KB, application/x-xpinstall
Details
1.35 MB, application/x-apple-diskimage
Details
I restarted my Nightly earlier today and upon restart I noticed that it crashes.  After attaching gdb to it and a series of interesting(!) debugging sessions, I realized that the issue is caused by an extension called searchme 2.0 by Spigot Inc.  I'm not sure how I got this extension installed on my system.  The latest thing that I got installed on my system was the latest version of the BitTorrent client and my strongest bet is that's how I got that extension.  It has also been installed in Chrome.

But here's the nature of the bug.  The add-on has the following code in chrome/content/protection.js (attaching the XPI file):

  observe: function(subject, topic, prefName)
  {
    if (topic == "nsPref:changed") // && prefName == "extensions.somepref")
    {
      switch (prefName)
      {
        case "keyword.URL":
          if (this.isOurEngine())
            this.handleChanges();
          break;

        case "browser.search.selectedEngine":
        case "browser.search.defaultenginename":
          if (SEARCHME.from3rdparty)
            searchme_setFirefoxPreference("searchme.protection", "true", "string");
          if (!this.isOurEngine())
            this.handleChanges();
          else
            searchme_setFirefoxPreference("searchme.protection", "true", "string");
          break;
      }
    }
  },

  handleChanges: function ()
  {
    var strProtected = searchme_getFirefoxPreference("searchme.protection");

    if ("false" == strProtected)
      return;

    if (SEARCHME.from3rdparty)
    {
      if (this.jsonPrefs)
      {
        for each (pref in this.jsonPrefs)
        {
          searchme_setFirefoxPreference(pref.name, pref.value, pref.type);
        }
      }
      else
      {
        searchme_setFirefoxPreference("browser.search.selectedEngine", this.enginename, "string");
        searchme_setFirefoxPreference("browser.search.defaultenginename", this.enginename, "string");
      }
      searchme_EnsureVisibleDS(this.enginename);
    }
    else
    {
      searchme_setFirefoxPreference("searchme.protection", "false", "string");
    }
  }

Specifically, the add-on handles nsPref:changed for "browser.search.selectedEngine", which can call handleChanges (presumably when the add-on detects that the yahoo search engine plugin which it tries to force you to use is no longer the default search engine), and handleChanges under some conditions can cause the add-on to set the "browser.search.selectedEngine" pref again, triggering the nsPref:changed observer and ultimately cause an infinite stack recursion leading into a crash when we run out of stack space.  Our own code protects against this kind of issue by using the _changingCurrentEngine boolean flag here: <http://mxr.mozilla.org/mozilla-central/source/toolkit/components/search/nsSearchService.js#4067> which is checked for in our nsPref:changed handler.

I would normally say we should contact the add-on author and get them to fix this extension but since this is an adware which I never installed myself and that it can cause Firefox to crash during startup, I think we should blocklist it.
BTW, <http://apple.stackexchange.com/questions/90894/where-has-the-searchme-extension-for-safari-and-chrome-come-from> confirms my suspicion about BitTorrent bundling this.  Should we consider contacting them and asking them to not bundle an extension that can cause Firefox startup crashes?
ID: searchme@mybrowserbar.com

Kris, what does the usage look like for this ID?
Component: Extension Compatibility → Blocklisting
Flags: needinfo?(kmaglione+bmo)
Product: Firefox → addons.mozilla.org
At least a half million users.
Flags: needinfo?(kmaglione+bmo)
I tried installing BitTorrent and didn't get the extension. It could be that it's no longer bundled or the installer is different by country.

Kris, can you give it a try? Also, can you tell if the majority of installs are silent?
Flags: needinfo?(kmaglione+bmo)
I don't get an extension when I install BitTorrent. It does hijack the default search engine to Yahoo, though.

I did accept a click-through offer to install Spigot, but I don't see an add-on.

I also opted into installing the we-care.com add-on, which did bypass about:newaddon
Flags: needinfo?(kmaglione+bmo)
There's no way to tell if installs are silent. The majority do not have the foreign install flag set, but there are ways of bypassing that, such as dumping the add-on into the stage directory. Most copies with the foreign install flag seem to be disabled.
Attached file BitTorrent.dmg
This is the bittorrent image I downloaded, it _definitely_ bundles this add-on, I just verified by reinstalling it, and AFAICT it doesn't even prompt me during the installation process.  Also, note that the extension installs itself in _all_ Firefox profiles, and also in Chrome and Safari as well.  It doesn't trigger the new extension prompt that I would usually get when a third party software installs an extension.
So this is happening on OS-X? Hm. OK, well, I don't currently have an OS-X virtual machine, and I'm not willing to intentionally install malware outside of one, so I can't test this at the moment.
(In reply to comment #8)
> So this is happening on OS-X? Hm. OK, well, I don't currently have an OS-X
> virtual machine, and I'm not willing to intentionally install malware outside
> of one, so I can't test this at the moment.

Yeah, I've only seen this on OSX, sorry I should have been more clear about that.  And not trying this on your main machine is absolutely the right call!  :-)
I just gave the installer a try and it didn't install the extension. I looked at the package contents and I couldn't see the extension file there either. It could be it is hidden in one of the binaries or downloaded at some point (could be location-dependent also).
I'll contact Spigot about this anyway.
Thank you.  Sorry I wasn't able to provide better information here...
The fix for the stability issue has been released along with making the install non-silent.
This add-on also replaced yahoo.xml in my profile, which made is so that I didn't get the new Yahoo experience until I edited that file manually.
Product: addons.mozilla.org → Toolkit
Closing old blocklist requests that shouldn't be valid after the move to WebExtensions-only in Firefox 57. Please comment if you think this bug is still valid and should be reopened.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.