Closed Bug 1657969 Opened 5 years ago Closed 5 years ago

Advanced Mac Tuneup malware hijacks search and "Restore Default Search Engines" button is not clickable

Categories

(Firefox :: Search, defect)

Product:
Firefox
Component:
Search
Platform:
All
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1433263

People

(Reporter: nalexander, Unassigned)

Details

A macOS device that my family uses was infected with malware installed by the "Advanced Mac Tuneup" program. This malware does many things, including hijacking Firefox's search provider and configuring launchd agents to maintain said hijacking. (It does not install Web Extensions into Firefox.). What I observed is that about:preferences > Search does not allow to cick the "Restore Default Search Engines" button when the malware's "BrowserDefault" search provider is installed. That is, the list is not the default, but the easiest path to returning to the default is not available. If I remove the "BrowserDefault" hijack option, the button is still not clickable. It's only when I remove another engine -- in my case, "Wikipedia (en)" -- that the "Restore Default Search Engines" button becomes clickable.

That doesn't seem correct, but I do see Bug 1126435, which is complaining about the what might be the same behaviour, and hasn't gotten any attention in 5+ years. I think we should strongly consider changing this UX to make it easier for folks to get back to the known good state -- a factory reset of search, if you will.

(In reply to Nick Alexander :nalexander [he/him] from comment #0)

A macOS device that my family uses was infected with malware installed by the "Advanced Mac Tuneup" program.

Do you happen to still have the profile data for that issue? I'd be interested in looking at exactly what they're doing.

That doesn't seem correct, but I do see Bug 1126435, which is complaining about the what might be the same behaviour, and hasn't gotten any attention in 5+ years. I think we should strongly consider changing this UX to make it easier for folks to get back to the known good state -- a factory reset of search, if you will.

The problem in this case, as you've already said, is that the launchd agents would just re-establish it again. We are working on various things to prevent/reduce hijacking at the moment.

Remove Default Search Engines has always been a bit of a strange button. One issue with it resetting everything is that this would not really apply for add-on added search engines - since they would need to be disabled via the add-on routes, but the add-ons also provide other functionality, so resetting those isn't necessarily the best thing to do.

Flags: needinfo?(nalexander)

(In reply to Mark Banner (:standard8) from comment #1)

(In reply to Nick Alexander :nalexander [he/him] from comment #0)

A macOS device that my family uses was infected with malware installed by the "Advanced Mac Tuneup" program.

Do you happen to still have the profile data for that issue? I'd be interested in looking at exactly what they're doing.

I have access to the profile for sure, but it's been used (a lot!) after cleaning this malware.

That doesn't seem correct, but I do see Bug 1126435, which is complaining about the what might be the same behaviour, and hasn't gotten any attention in 5+ years. I think we should strongly consider changing this UX to make it easier for folks to get back to the known good state -- a factory reset of search, if you will.

The problem in this case, as you've already said, is that the launchd agents would just re-establish it again. We are working on various things to prevent/reduce hijacking at the moment.

Right -- I'm aware of this -- but it's still odd that the "in product" way to witness the launchd shenanigans doesn't actually let you witness that.

Remove Default Search Engines has always been a bit of a strange button. One issue with it resetting everything is that this would not really apply for add-on added search engines - since they would need to be disabled via the add-on routes, but the add-ons also provide other functionality, so resetting those isn't necessarily the best thing to do.

Hmm, that's interesting. Maybe this ticket is really "remove or clarify what Reset Default Search Engines button" does?

Flags: needinfo?(nalexander)

(In reply to Nick Alexander :nalexander [he/him] from comment #2)

(In reply to Mark Banner (:standard8) from comment #1)

(In reply to Nick Alexander :nalexander [he/him] from comment #0)
I have access to the profile for sure, but it's been used (a lot!) after cleaning this malware.

Yeah that probably won't help then - we'd need to know what was in there before cleaning.

The problem in this case, as you've already said, is that the launchd agents would just re-establish it again. We are working on various things to prevent/reduce hijacking at the moment.

Right -- I'm aware of this -- but it's still odd that the "in product" way to witness the launchd shenanigans doesn't actually let you witness that.

Remove Default Search Engines has always been a bit of a strange button. One issue with it resetting everything is that this would not really apply for add-on added search engines - since they would need to be disabled via the add-on routes, but the add-ons also provide other functionality, so resetting those isn't necessarily the best thing to do.

Hmm, that's interesting. Maybe this ticket is really "remove or clarify what Reset Default Search Engines button" does?

I think I'm going to duplicate this to bug 1433263, which is basically the same type of issue. We're tentatively talking about some work on that preference panel to happen soon, so we'll hopefully get something better when we do that work.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.