If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

browser.newtab.url can be hijacked by malicious software

RESOLVED DUPLICATE of bug 1083961

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1083961
3 years ago
3 years ago

People

(Reporter: stefan, Unassigned)

Tracking

33 Branch
x86_64
Windows 8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303

Steps to reproduce:

1. Install Conduit or other "badware" that is known to hijack the newtab page (I would not suggest reproducing this step)

2. Observe that opening a new tab redirects you to a hijacked URL

3. Remove malicious software


Actual results:

Opening a new tab still displays the hijacked URL


Expected results:

A UI to modify the new tab page without resorting to about:config

OR

That browser.newtab.url should be removed as it provides an avenue for malicious software to hijack the new tab page without a discoverable way for users to change it back

Comment 1

3 years ago
That's why there is a reset feature:
https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems
(Reporter)

Comment 2

3 years ago
(In reply to Loic from comment #1)
> That's why there is a reset feature:
> https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems

I personally don't consider a reset to be the appropriate solution, especially as it ignores the damage that can be done to a user who are not savvy enough to realize there is a problem or even how to perform a reset to fix it if they do.

A decision has already been made to remove the ui to modify browser.newtab.url in favor of always displaying about:newtab unless the user goes through the trouble of modifying the setting in about:config or installing an extension. I would propose that the setting is removed, an extension could easily restore this functionality for users who wish to keep it.

Comment 3

3 years ago
Gavin, can we do the same here that we did for the search engine selection and/or is there a bug on file about that already?
Flags: needinfo?(gavin.sharp)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(gavin.sharp)
Resolution: --- → DUPLICATE
Duplicate of bug: 1083961
You need to log in before you can comment on or make changes to this bug.