Closed Bug 1815589 Opened 3 years ago Closed 3 years ago

Clever nefarious method of installing probably infected Firefox version

Categories

(Firefox :: Installer, enhancement)

Product:
Firefox
Component:
Installer
Version:
Firefox 110
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bugzilla.daydream735, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0

Steps to reproduce:

I searched for a question I had about towing with a car with a capacity of 3500lbs and got a page that indicated my Firefox was out of date and needed updating. I immediately went to the Help page to check and it indicated I was up to date.
More than suspicious.

Problematic page: https://outdoordriving.com/what-can-i-tow-with-3500-lb-capacity/

Linked page with installation of suspicious Firefox version:
https://filedownloadapp.com/webv4/ff_update?fn=2142834&clickid=wo35ce2hue653gfm2pqci62k&extid=1d673905f3848019de1beabbee7c9126&tsid=50fd6e88-7979-42f8-968b-b708d378b545&lndid=caf30adc-b09d-4aa9-b247-8d6048dc74c4&h=600&domain=outdoordriving.com&d=securedcdn.com&cep=W-ONso1kQ_YO1pmXjCgtItVxJ81OV97RJnLA4kymmPhAd2Pm6m0kfh2PippE_smqC-vuppM2EtNHsz5uk-Cen-dXpUoDMdcoGxbohf4DcQRJ8haxzJE7nmcN1LbXOdpVczz1FswGRR2CxvfDnqHuqB52kpESLlJZm_23mgW0hMFqKEXChR22XCWN6hDr2uhvjO1270J2jy_zgKuBidAK5lqXUaVRGaMO0RXbAYaSenYI3fF86BKuZbkGN9ctPlkPXxFZXE70EQqbkpwNWR75CsFR8UCOTG5-XaYfmZQeaNkBeNYI-uRb05NsAaZYDDQBpgVnTGYqWRhzzCXovFdUu2aPQyQVt3lYwBUP8Hy_Q4nUMz1-s43fjuluBXs0v6B9R4h80f_4AcUa0R8Lg9lC1go2NklhEnzdGnRGwWWM5u9wd4obxJpRNO5mBnwJ6lhQtSmRT0R8KKkxSL_cwp0FybOY3hZuEEutJ7moHRyOYDMHBZzQ8Aqsyp8S2MUdkcN7XRwn_y6DvdP6BPcESlZ9yXbODKDyTFKRZ7xguAgWlsHckuOQT0eWITj0n0v-beGrpkKAz24wVpSuZxsYSQ8V201xBP4GwQupa_IwEwNJCoAsccMU2TXSH5AaDL5px0KI0vIRo3B9lLQaysRv50rY4WkuLzh3z9j9AYsEaoAFSMEeqjsI7d8WNJUc0KwiKmwI7APPM5BKE9wqzppeDGM_Vg&lptoken=1667758f81a563820526&browser=Unknown&zoneid=2188318&bannerid=2142834&os=Windows&country=United+States&region=Seattle&isp=CenturyLink&useragent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A109.0%29+Gecko%2F20100101+Firefox%2F110.0&language=11&placement=18299578&subid=1d673905f3848019de1beabbee7c9126&hsh=7132266533280

Actual results:

An attempt was made to replace my Firefox installation with another from a non-Mozilla site.

Note the following information was encoded in the destination link:
browser=Unknown
zoneid=2188318
bannerid=2142834
os=Windows
country=United+States
region=Seattle
isp=CenturyLink
useragent=Mozilla%2F5.0+
Windows+NT+10.0
Win64%3B+x64
Gecko
Firefox
110.0
language=11
placement=18299578
subid=1d673905f3848019de1beabbee7c9126
hsh=7132266533280

Expected results:

Nothing. My Firefox installation is fine.

I will set this enhancement as new so the engineering team could take a look at this.
If this is not the correct component, please feel free to change it to a more appropriate one.

Status: UNCONFIRMED → NEW
Component: Untriaged → Installer
Ever confirmed: true

I don't think that there is much that we, in engineering, can do about this. I submitted the URL to the Safe Browsing form. I believe that that should result in it shortly being added to the Safe Browsing database, which should warn users before going to that page.

But as far as engineering, I don't think that there is anything to be done here. We can't easily tell that a website is advertising something that it shouldn't be. I think the best that we can do is rely on the Safe Browsing database, which we already do.

Thanks for your report, but since I don't believe there to be anything actionable engineering-wise, I'm going to go ahead and close this.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.