Closed Bug 1425508 Opened 8 years ago Closed 7 years ago

Today i was hacked by a website...

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: info, Unassigned)

Details

Attachments

(2 files)

website_source.txt
3.01 KB, text/plain
Details
bug1425508-prettyprint.js
168.81 KB, application/x-javascript
Details
Attached file website_source.txt
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20171204150510 Steps to reproduce: Hi, i am using my workstation as a developer. Today i was searching for sources on: http://www.vclcomponents.com/Delphi/Graphical_Controls/JanFX-info.html There was a link to the developer website that i opened with my firefox 58.0b9 (64-Bit): www.jansfreeware.com I was redirected to another site: http://ww1.jansfreeware.com This site loaded very very slow, so i turn to back to my programing IDE. A little moment later my antivirus program runs up and shows me, that i have a infected netphone.exe in my windows temp directory. Hmm - netphone.exe? never knew about this file before. I take a look at my temp path. I can´t believe what there was going on!!! Subdirectories with numbers as name would be created and erased in seconds. I navigated into one of them to take a look inside, but a moment later the content was away and the subdirectory also. Was there a BOT on my system that wants to infect me? I disabled my LAN card in the network and suddenly all the things stops and i have at least a folder named 16941 and a zero text file inside with the name test1.txt inside my temp. Trying to open it wasn´t succesfull, it was opened by another program, told by windows. I shut down and restarted my FritzBox to get a new IP Adress. After that all on my workstation was like it was before i had that issue. Actual results: The site was empty nothing to see if i had opened it. Take a look into the source i had viewed directly and attached. Expected results: A littlle time later i used TOR to open that link again and a normal domain parking site was shown. And in the evening the site shows the hint: "Error. Page cannot be displayed. Please contact your service provider for more details. (10)" And the Numbers changes after reload. Can someone reproduce this? Is there a unknown big bug inside firefox that a website can infect me or can open my temp folder?
attaching a pretty-printed version of a script loaded by the page at ww1.jansfreeware.com from view-source:https://pxlgnpgecom-a.akamaihd.net/javascripts/browserfp.min.js?templateId=10 That appears to be an ad-loader and tracker (uses various storage, checks WebRTC, enumerates fonts, canvas fingerprinting, etc) but not itself doing anything obviously malware-like. At the top there are two objects with a lot of numeric properties and some kind of a de-obfuscator starting around line 3500, but I can't tell if that's some kind of a shell script or how they're related just by reading. (Will need to set up a safe environment to step through it in a debugger.) Seems more likely that the malicious thing came in with one of the "ads".
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: