Closed Bug 1394979 Opened 8 years ago Closed 8 years ago

Malicious site - drive by download

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: alexismyfriend, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170824053622 Steps to reproduce: Browsing my outlook.live.com email, a malicious site opened a tab by itself, without any interaction from me. Interestingly it somehow also killed Ublock Origin, the icon in the upper right was gone. The site was blocked immediately by my antivirus, ESET Smart Security. I do not know how to reproduce this issue, it seems related to the ads in outlook.live.com. I've even reloaded all the emails I was looking at, it does not recur. Additionally I am aware of safe browsing habits, which is why this site opening itself was shocking. Nothing like this has ever happened to me before, I have not had a virus in years. Occasionally I scan with different bootable scanners to be sure. Firefox version 55.0.3 64-bit. Actual results: A malicious site opened itself. The MALICIOUS site is: http://378972357.win/en/?id=KzEgKDg1NSkgMzU1LTUxMTU Expected results: Nothing. Nothing should've happened, lol.
Group: firefox-core-security
Hi, This happened somehow to me too, but just the part where uBlock Origin suddenly dissapeard from the toolbar. The extension appeard to be installed and working but I couldn't bring it back. That one was fixed with a reinstall, and it happend to me both with and without an antivirus client installed. However, this behavior could have a lot of causes. One of it could be something related to uBlock itself. Maybe it was in process of updating and it got disabbled/restarted for a few seconds when that page poppepd out. I have encountered this behavior with AddBlock extensions on YouTube, where sometimes the commercials at the begining of the video were redisplayed. Also, in the last 2-3 days uBlock Origin migrated from an SDK based extension to a Webextension one. Maybe it was something related to that change. The transition is not perfect and could still have some issues. I will try to use uBlock next week on my profiles to see if I manage to encounter this behavior. Please let me know if you encounter this again and if you have more info on it.
I checked the Norton Safe Web rating for your reported website. (See https://safeweb.norton.com/report/show?url=http%3A%2F%2F378972357.win%2Fen%2F%3Fid%3DKzEgKDg1NSkgMzU1LTUxMTU) Apparently, this website is a known threat. I reported it through Firefox's Help > Report Deceptive Website feature. Does anything else need done in your opinion?
Flags: needinfo?(alexismyfriend)
Thanks all. The question remains how was the site able to open by itself, while not clicking any links? It forced a tab open to a malicious site while just sitting. The emails being browsed were legitimate, and I've gone over them again, seeing if the link would open. I find it especially interesting how uBlock Origin was functioning before the tab opened, then disappeared after the tab opened. How was the site able to open a tab by itself when no links were clicked? It seems two things happened. One is a malicious site was able to kill uBlock Origin. Two is it forced Firefox to open a tab with no user interaction. I am an IT professional, however web and software development are not my expertise. uBlock Origin did update recently to the latest Firefox-compatible standard. Firefox still opened a tab without my interaction however. Two of three pieces of software malfunctioned, first uBlock, then Firefox. Only an antivirus was able to block the site before damage was done. Who knows what kind of exploits the site possesses, and what kind of exploit was able to bypass two pieces of software. Users with a lacking security suite could be infected with whatever exploits were performed, simply by browsing the web while having security software, even with knowledge of safe browsing habits.
Flags: needinfo?(alexismyfriend)
Moving to Core:DOM:Security to see if more attention will help.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Site seems gone. Hopefully using known tricks covered by the "eviltraps" bug.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.