Open Bug 1161266 Opened 10 years ago Updated 2 years ago

No user warning when autoconfig is active and preferences may have been hijacked

Categories

(Firefox :: Settings UI, defect, P5)

Product:
Firefox
Component:
Settings UI
Version:
37 Branch
Type:
defect

Tracking

()

People

(Reporter: dustwolfy, Unassigned)

References

Details

Attachments

(2 files)

Virus file 1
88 bytes, application/x-javascript
Details
Virus file 2
13.18 KB, text/plain
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150417180217 Steps to reproduce: When customized JS preferences are loaded (as per https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/A_brief_guide_to_Mozilla_preferences#Changing_defaults) there is no GUI in Firefox to alert the user that these are changing the settings. There seems to be malware that installs ad-inserting javascript via this method. Actual results: With the malware configuration files in place, firefox displays excessive ads everywhere. Yet checking the plugins, add-ons and all the usual places, including uninstalling and reinstalling firefox, yields no indication as to what is causing this altered behaviour. Expected results: There could have been a GUI element somewhere under plugins or somewhere, that would indicate what custom JS files are loaded via this method.
(In reply to dustwolfy@gmail.com from comment #0) > User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 > Firefox/37.0 > Build ID: 20150417180217 > > Steps to reproduce: > > When customized JS preferences are loaded (as per > https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/ > A_brief_guide_to_Mozilla_preferences#Changing_defaults) there is no GUI in > Firefox to alert the user that these are changing the settings. Which of the two methods described is being used? What preferences are altered? > There seems to be malware that installs ad-inserting javascript via this > method. I'd be interested in hearing where to get this malware so as to examine what it's doing (in a VM, I suspect...). > Actual results: > > With the malware configuration files in place, firefox displays excessive > ads everywhere. Yet checking the plugins, add-ons and all the usual places, > including uninstalling and reinstalling firefox, yields no indication as to > what is causing this altered behaviour. about:support will indicate locked preference and a user.js file. Does it not indicate this in any way? Would that be sufficient as far as you are concerned? It seems like enterprise users would have legitimate reasons to change (some) preferences in the ways described on MDN. Obviously we can't really provide a really visible message about this because it'd be problematic for those users. Depending on what preferences these are, maybe the preferences just need to be removed and/or we could stop supporting overriding those specific preferences. (that said, I would expect that this avenue of attack would remain open via e.g. customized proxy prefs that point to something installed with the malware on localhost, that injects into all the requests for HTML or whatever)
Flags: needinfo?(dustwolfy)
Attached file Virus file 1
Flags: needinfo?(dustwolfy)
Attached file Virus file 2
I've attached the malware files I was dealing with. They were found in the following directories, default installation settings: * C:\Program Files\Mozilla Firefox\browser\defaults\preferences\my-prefs.js * C:\Program Files\Mozilla Firefox\my.cfg The sentiment in the article I have linked seems to be that regardless of what an IT administrator (me in this case) would want, Firefox is aimed at keeping the user informed and giving them the option to opt-out of the administrator's settings if they choose to do so (as otherwise the customizations would be considered "user-hostile" as the article says). In line with that sentiment, I would expect some graphical user notification as to what is going on, outside of the "THIS WILL VOID YOUR WARRANTY" super hidden advanced settings.
I agree that we should do a better job of detecting malware-inserted preferences (and probably close some malware holes in the process). But this is not a security issue per-se and it doesn't need to be private. I don't expect that this is important enough to focus on right now. I'm going to call this "preferences" and we might move it to self-support later when that comes into being.
Group: core-security
Component: Untriaged → Preferences
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Summary: No GUI for JS preferences → No user warning when autoconfig is active and preferences may have been hijacked
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: