Open Bug 1595525 Opened 6 years ago Updated 5 years ago

camillenelson.com loads abusive scripts from pushqwer.com and deloplen.com

Categories

(Toolkit :: Safe Browsing, defect, P5)

Product:
Toolkit
Component:
Safe Browsing
Version:
70 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: aevargareg, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

  1. in Tools/Options/Privacy & Security, set Browser Privacy = Strict
  2. in Tools/Options/Privacy & Security, check Block pop-up windows
  3. in Tools/Options/Privacy & Security/Notifications, check Block new requests asking to allow notifications
  4. searched for Camille Nelson with Google search, https://www.google.com/search?client=firefox-b-1-d&q=camille+nelson
  5. clicked on article 2 - Camille Nelson Music
  6. Firefox prompted me to Allow/Block notifications from www.camillenelson.com
  7. clicked on Allow
  8. clicked on Blog or About or Photos or Videos in the page's menu

Actual results:

  1. a notification prompt was displayed, despite my settings, and only the Allow button was enabled; Block was not enabled, and clicking it had the same effect as Allow
  2. several child tabs displayed, including one to "update Firefox", which I could not close (it is a threat; the main message box shakes when trying to close the tab ; I know this is not Mozilla behavior)
  3. I could not restart Firefox in Safe Mode without the bad tab still displaying
  4. I had to uninstall and reinstall Firefox to eliminate the bad tab, then import settings from the Old Firefox Data folder

Expected results:

  1. there should not have been a prompt for allowing notifications
  2. there should not have been additional tabs, especially one that was dangerous
  3. this behavior does not occur when typing the URL directly into the address bar, namely https://www.camillenelson.com/

(In reply to Alan Varga from comment #0)

  1. a notification prompt was displayed, despite my settings, and only the Allow button was enabled; Block was not enabled, and clicking it had the same effect as Allow

This isn't a real prompt. This is an attempt to trick you. You can tell because its anchoring is completely off compared to the location bar, and because there is no overlap with the browser chrome (ie the toolbar).

(quoting out of order:)

  1. clicked on Allow

And unfortunately, you fell for the attempt to trick you...

(That said, from more experimentation, clicking "empty" bits of page also load abusive pages. The website has been compromised.)

  1. several child tabs displayed, including one to "update Firefox", which I could not close (it is a threat; the main message box shakes when trying to close the tab ; I know this is not Mozilla behavior)

I can't reproduce this (tested on current mozilla nightly as well as 71 beta). If I've got popup windows blocked, and click the fake "Allow" button, I get a notification bar indicating a popup was blocked. Attempts to reproduce after allowing popups were also not successful. I get various other ad pages when I click at arbitrary points on the page, but nothing like what you describe. I expect it's a random selection of abusive stuff. :-(

  1. I could not restart Firefox in Safe Mode without the bad tab still displaying

If safe mode wouldn't restore your tabs, we would probably get complaints about people losing their session this way...

  1. I had to uninstall and reinstall Firefox to eliminate the bad tab, then import settings from the Old Firefox Data folder

For future reference, you could probably have used "refresh Firefox", accessible from about:support - or removed any files with sessionrestore from your Firefox profile folder (also accessible from about:support ). I realize we should never get in this state, but it's hard to fix part (2) here without being able to reproduce it, and at least this way you have a workaround in future.

I'm going to unmark sec-sensitive but keep it moco-confidential in case we hit upon more details of what exact exploitative site did (2) above. I'll contact the webmaster of camillenelson to point out their website has been hacked and report the site to safebrowsing.

Ehsan, I assume we don't want to substitute the tracking protection blocklist for the safebrowsing one for the malicious scripts that are on this page? Dimi, do we have other tools at our disposal here?

Group: firefox-core-security → mozilla-employee-confidential
Flags: needinfo?(ehsan)
Flags: needinfo?(dlee)
Summary: Request to allow notification not blocked when referred by Google → camillenelson.com loads abusive scripts from pushqwer.com and deloplen.com

To clarify #3, I could restore my tabs in Safe Mode. The problem was that it restored all of the tabs, *including * the malicious one.

To clarify #4, sInce this happened a couple of times while I was experimenting so I could get the details for the bug report correct, I did end up using Refresh Firefox, and happily it saved my bookmarks and settings (things I changed in about:config).

(In reply to :Gijs (he/him) from comment #1)

I'm going to unmark sec-sensitive but keep it moco-confidential in case we hit upon more details of what exact exploitative site did (2) above. I'll contact the webmaster of camillenelson to point out their website has been hacked and report the site to safebrowsing.

Ehsan, I assume we don't want to substitute the tracking protection blocklist for the safebrowsing one for the malicious scripts that are on this page? Dimi, do we have other tools at our disposal here?

No, I think safebrowsing is the right mechanism to use here... Though I wonder why is it that I also was unsuccessful to reproduce this issue, similarly to you, I did get the fake notification prompt but clicking on the Allow only opened the popup where the real permission is requested without the rest of the problems enumerated. It seems like the script that generates the fake notification prompt is: https://pushqwer.com/ntfc.php?p=2668644.

Flags: needinfo?(ehsan)

(In reply to :Gijs (he/him) from comment #1)

Ehsan, I assume we don't want to substitute the tracking protection blocklist for the safebrowsing one for the malicious scripts that are on this page? Dimi, do we have other tools at our disposal here?

I agree with Ehsan SafeBrowsing is the right one to use. I don't know if there is an alternative approach we can use here :(

Flags: needinfo?(dlee)
Component: Untriaged → Safe Browsing
Product: Firefox → Toolkit

The priority flag is not set for this bug.
:dimi, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dlee)

I am not sure if Safe Browsing is the right component for this. Set this to P5 because we can't do anything except reporting the site from the perspective of SafeBrowsing. And as mentioned in Comment 1, we need more detail for the exploit(2) to proceed

Flags: needinfo?(dlee)
Priority: -- → P5

If there is another component more appropriate than Safe Browsing, please change it. Furthermore, can you make sure that this issue continues to be addressed? Thank you!

Flags: needinfo?(ehsan)

(In reply to Bodea Daniel [:danibodea] from comment #7)

If there is another component more appropriate than Safe Browsing, please change it. Furthermore, can you make sure that this issue continues to be addressed? Thank you!

I am not sure why I was needinfo'ed about this. SafeBrowsing is a service run by Google (https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en) and anyone can submit a report to it. I just submitted a report, including a link to this bug, so I'm going to mark the bug as non-confidential so that the SafeBrowsing team can see it.

Group: mozilla-employee-confidential
Flags: needinfo?(ehsan)
Severity: normal → S4
You need to log in before you can comment on or make changes to this bug.