Closed Bug 1538813 Opened 2 years ago Closed 11 months ago

Redirection to a Firefox survey (scam) http://competition4599.sadman13.agency

Categories

(Firefox :: Security, defect)

66 Branch
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: fabrice.salvaire, Unassigned)

Details

Attachments

(2 files)

Attached image scam page

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

I clicked on a link on the Google search page.

Actual results:

Firefox opened this link instead

http://competition4599.sadman13.agency/6508744505/?t=main9_04f91c046e2a3b&u=d29pte4&o=vxzkpbg&f=1

later the link worked as expected thus I suspect something bad happened in Firefox like a scam due to ???

Attached image firefox-module.png

installed modules

Some details on setup was

I did few investigations on modules: all module are on github excepted ColorZilla and Empty Cache Button.

I am aware of such scams but I never encountered it on this circumstance.

I couldn't reproduce this issue on

Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Placing this under Firefox:security so someone can look into this. Thanks!

Component: Untriaged → Security

Andreas, where can we move bugs containing a list of extensions where one is potentially compromised?

Thanks!

Flags: needinfo?(awagner)

I think easiest would be to file a new bug containing only the malicious/block-worthy using https://bugzilla.mozilla.org/form.blocklist . Thanks!

Flags: needinfo?(awagner)

Can you confirm that the most likely explanation is a malicious extension ?

It's really a security issue ! Since I have never developed Firefox extension, I wonder what we can do with a malicious extension ( store credit card data etc. )

Personally I don't know how to investigate theses extensions.

I just reproduced it now

  • clicked on the link above http://www.ageca.org and got the scam
  • reclicked twice and got the site (same for more than 5 clicks)

Colorzilla and Empty Cache Button was disabled.

Can you disable all your extensions and try again? Can you also try in a fresh profile? I can't reproduce this, but it still may be that the site is compromised...

I tried several in a fresh profile : no scam
Same with all extensions disabled.

It looks like random ...

Hm, that's strange. I suppose your profile contains private information, so feel free to decline this request, but if you want you could send me the zipped profile folder to the @mozilla.com email address on my Bugzilla account and I can try it out. You can of course first clear history, remove saved passwords etc., assuming that this won't make the issue go away :)

Let me know if that's okay for you. Again, I understand if it's not.

I reproduced it just now

  • first click: got scam but now the page is blocked by Firefox
  • second click: got the right site

I believe their is a clever timer to trigger the scam which make investigation difficult ...

enabled modules are: react dev tools, redux dev tools, ublock origin, withexeditor

For profile, yes, it contains private information but without (password, history, cache) it should be ok.

First I would understand where is done the redirection. I will try to log network connection for next time.

I think we can close this for now. The scam techniques should be tracked in other bugs and it doesn't seem like we can easily find the culprit behind opening that site.

Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.