Redirection to a Firefox survey (scam) http://competition4599.sadman13.agency

UNCONFIRMED
Unassigned

Status

()

defect
UNCONFIRMED
3 months ago
3 months ago

People

(Reporter: fabrice.salvaire, Unassigned)

Tracking

66 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

Reporter

Description

3 months ago
Posted image scam page

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

I clicked on a link on the Google search page.

Actual results:

Firefox opened this link instead

http://competition4599.sadman13.agency/6508744505/?t=main9_04f91c046e2a3b&u=d29pte4&o=vxzkpbg&f=1

later the link worked as expected thus I suspect something bad happened in Firefox like a scam due to ???

Reporter

Comment 1

3 months ago
Posted image firefox-module.png

installed modules

Reporter

Comment 3

3 months ago

Some details on setup was

I did few investigations on modules: all module are on github excepted ColorZilla and Empty Cache Button.

I am aware of such scams but I never encountered it on this circumstance.

Comment 4

3 months ago

I couldn't reproduce this issue on

Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Placing this under Firefox:security so someone can look into this. Thanks!

Component: Untriaged → Security

Andreas, where can we move bugs containing a list of extensions where one is potentially compromised?

Thanks!

Flags: needinfo?(awagner)

I think easiest would be to file a new bug containing only the malicious/block-worthy using https://bugzilla.mozilla.org/form.blocklist . Thanks!

Flags: needinfo?(awagner)
Reporter

Comment 7

3 months ago

Can you confirm that the most likely explanation is a malicious extension ?

It's really a security issue ! Since I have never developed Firefox extension, I wonder what we can do with a malicious extension ( store credit card data etc. )

Personally I don't know how to investigate theses extensions.

Reporter

Comment 8

3 months ago

I just reproduced it now

  • clicked on the link above http://www.ageca.org and got the scam
  • reclicked twice and got the site (same for more than 5 clicks)

Colorzilla and Empty Cache Button was disabled.

Can you disable all your extensions and try again? Can you also try in a fresh profile? I can't reproduce this, but it still may be that the site is compromised...

Reporter

Comment 10

3 months ago

I tried several in a fresh profile : no scam
Same with all extensions disabled.

It looks like random ...

Hm, that's strange. I suppose your profile contains private information, so feel free to decline this request, but if you want you could send me the zipped profile folder to the @mozilla.com email address on my Bugzilla account and I can try it out. You can of course first clear history, remove saved passwords etc., assuming that this won't make the issue go away :)

Let me know if that's okay for you. Again, I understand if it's not.

Reporter

Comment 12

3 months ago

I reproduced it just now

  • first click: got scam but now the page is blocked by Firefox
  • second click: got the right site

I believe their is a clever timer to trigger the scam which make investigation difficult ...

enabled modules are: react dev tools, redux dev tools, ublock origin, withexeditor

For profile, yes, it contains private information but without (password, history, cache) it should be ok.

First I would understand where is done the redirection. I will try to log network connection for next time.

You need to log in before you can comment on or make changes to this bug.