browser.newtab.url can be hijacked by malicious software

RESOLVED DUPLICATE of bug 1083961

Status

()

RESOLVED DUPLICATE of bug 1083961
4 years ago
4 years ago

People

(Reporter: stefan, Unassigned)

Tracking

33 Branch
x86_64
Windows 8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

1. Install Conduit or other "badware" that is known to hijack the newtab page (I would not suggest reproducing this step)

2. Observe that opening a new tab redirects you to a hijacked URL

3. Remove malicious software


Actual results:

Opening a new tab still displays the hijacked URL


Expected results:

A UI to modify the new tab page without resorting to about:config

OR

That browser.newtab.url should be removed as it provides an avenue for malicious software to hijack the new tab page without a discoverable way for users to change it back

Comment 1

4 years ago
That's why there is a reset feature:
https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems
(Reporter)

Comment 2

4 years ago
(In reply to Loic from comment #1)
> That's why there is a reset feature:
> https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems

I personally don't consider a reset to be the appropriate solution, especially as it ignores the damage that can be done to a user who are not savvy enough to realize there is a problem or even how to perform a reset to fix it if they do.

A decision has already been made to remove the ui to modify browser.newtab.url in favor of always displaying about:newtab unless the user goes through the trouble of modifying the setting in about:config or installing an extension. I would propose that the setting is removed, an extension could easily restore this functionality for users who wish to keep it.

Comment 3

4 years ago
Gavin, can we do the same here that we did for the search engine selection and/or is there a bug on file about that already?
Flags: needinfo?(gavin.sharp)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(gavin.sharp)
Resolution: --- → DUPLICATE
Duplicate of bug: 1083961
You need to log in before you can comment on or make changes to this bug.