1087837 - browser.newtab.url can be hijacked by malicious software

Status: RESOLVED DUPLICATE of bug 1083961

(Firefox :: Untriaged, defect)

Description

[stefan]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

1. Install Conduit or other "badware" that is known to hijack the newtab page (I would not suggest reproducing this step)

2. Observe that opening a new tab redirects you to a hijacked URL

3. Remove malicious software


Actual results:

Opening a new tab still displays the hijacked URL


Expected results:

A UI to modify the new tab page without resorting to about:config

OR

That browser.newtab.url should be removed as it provides an avenue for malicious software to hijack the new tab page without a discoverable way for users to change it back

Comment 1

[Loic]

That's why there is a reset feature:
https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems

Comment 2

[stefan]

(In reply to Loic from comment #1)
> That's why there is a reset feature:
> https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems

I personally don't consider a reset to be the appropriate solution, especially as it ignores the damage that can be done to a user who are not savvy enough to realize there is a problem or even how to perform a reset to fix it if they do.

A decision has already been made to remove the ui to modify browser.newtab.url in favor of always displaying about:newtab unless the user goes through the trouble of modifying the setting in about:config or installing an extension. I would propose that the setting is removed, an extension could easily restore this functionality for users who wish to keep it.

Comment 3

[:Gijs (he/him)]

Gavin, can we do the same here that we did for the search engine selection and/or is there a bug on file about that already?