253713 - Home-Page hijackers can use user.js

Status: RESOLVED WONTFIX

(SeaMonkey :: Preferences, defect)

Description

[Guy Shapiro]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040616

Today lots of spywares try to hijack the home page and lock it for changes.
This problem is very common in IE but quite rare in Mozilla.
(http://homepage.ntlworld.com/dvk01uk/tutorial.htm)
Today the homepage hijackers for Mozilla are sample and the user can change his
home page back. But, if the hijackers will try to by more sophisticated, they
can add to "user.js" the line "user_pref("browser.startup.homepage",
"http://www.foobar.com"); ".
If they do so, the user won't be able to change his home page back from the
prefs window.
I suggest that if user's selection in the prefs window conflicts with "user.js"
the user will be offered to overwrite "user.js".
I reporting this bug as a security bug because I don't want to give ideas to the
hijacker's writers.

Reproducible: Always
Steps to Reproduce:

Comment 1

[Daniel Veditz [:dveditz]]

while true, there are other ways a hijackers could accomplish the same thing
that would be equally hard for a user to detect and remove. We need to spend our
effort on preventing the bad guys from changing your local files in the first
place, because it might not be a home page hijacker it might be someone
installing a keylogger or erasing your files.

If it becomes a real problem I'm sure this will be another thing ad-aware and
spybot search and destroy etc will look for. Meanwhile we're swamped with more
pressing bugs to work on.

Clearing sensitive flag, any bad guy smart enough to be able to change a local
file already knows about user.js, it's not exactly secret

Comment 2

[Jesse Ruderman]

*** Bug 257469 has been marked as a duplicate of this bug. ***