Ability to detect/notify/correct the hijacking of homepage/startpage

NEW
Unassigned

Status

()

Firefox
Security
P2
enhancement
3 months ago
a month ago

People

(Reporter: hectorz, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {feature})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [outreach, moz china])

(Reporter)

Description

3 months ago
In the extensions we ship with Fx China repack, we have features to detect/notify/correct hijacking of homepage/startpage.

We check for and remove the homepage pref in {ProfD}/user.js for about one or two thousands users per day;

We also periodically check for known hijacking urls (basically, urls to portal sites with affilication ids) in the homepage pref, and ask the user on whether to reset it, a few thousands users choose to reset the pref daily;

And then there's the case described in bug 1329868, detected tens of thousands times a day.

Hijackers sometimes will use short url service to avoid detection.
Can this be considered to be a duplicate of bug 1322308?
Flags: needinfo?(bzhao)

Comment 2

3 months ago
I'm not sure why this is in WebExtensions.

After our discussion at the all-hands, I think we decided we'd like to see if core Firefox can mitigate this problem.
Mike, are you saying that we don't even need bug 1322308? Or that we still need that, but this specific use case for that bug will be covered by core Firefox?
Flags: needinfo?(mozilla)
(Reporter)

Comment 4

3 months ago
(In reply to Bob Silverberg [:bsilverberg] from comment #1)
> Can this be considered to be a duplicate of bug 1322308?

(In reply to Bob Silverberg [:bsilverberg] from comment #3)
> Mike, are you saying that we don't even need bug 1322308? Or that we still
> need that, but this specific use case for that bug will be covered by core
> Firefox?

This bug is more of a description of what we at Beijing office are currently doing about hijacking of homepage/startpage, and how to continue doing them (either with WebExtension, or as built-in feature) in the future. Sorry for any confusion.

(In reply to Mike Kaply [:mkaply] from comment #2)
> I'm not sure why this is in WebExtensions.
> 
> After our discussion at the all-hands, I think we decided we'd like to see
> if core Firefox can mitigate this problem.

Yes, we agreed this should be mitigated in Fx. I couldn't decide a proper component to file this, and sticked with WebExtensions.
Flags: needinfo?(bzhao)
Summary: Ability to detect/notify/correct the hijacking of homepage/startpage through WebExtensions → Ability to detect/notify/correct the hijacking of homepage/startpage
This needs to happen in Firefox proper. If we added this type of functionality to WebExtensions, people would only use it to hijack the homepage more effectively.
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → WONTFIX

Updated

3 months ago
Status: RESOLVED → REOPENED
Component: WebExtensions: Untriaged → General
Flags: needinfo?(mozilla)
Product: Toolkit → Firefox
Resolution: WONTFIX → ---

Comment 6

3 months ago
This is something the Firefox team needs to think about in terms of hijacking mitigation.

Have we seen user.js being used for hijacking?

Do we have telemetry on the use of user.js?
Status: REOPENED → NEW

Updated

3 months ago
Whiteboard: [outreach, moz china]
Component: General → Security
Priority: -- → P2
Severity: normal → enhancement
Keywords: feature
You need to log in before you can comment on or make changes to this bug.