Closed Bug 267071 Opened 20 years ago Closed 20 years ago

Firefox vulnerable to stealth hijacking through outside applications

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tonglebeak, Assigned: bugzilla)

References

(
URL
)

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041031 Firefox/1.0RC2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041031 Firefox/1.0RC2

There's an application, called Atelier Web Firewall Tester, that uses several
methods to bypass your firewall. You can find it here: 

http://www.firewallleaktester.com/leaktest7.htm

It comes with 6 tests to try to bypass the firewall: some, starting off with
test Two, use the default browser to send data under someone's nose, without
them even knowing. Since Firefox is my default browser, it's able to use
Firefox. It sends a packet through firefox.exe (it shows up in my firewall log),
and it retrieves the data without the screen ever having to even flicker. The
only way someone knows the data was sent out is either by looking at the test
results (which once again are confirmed by my firewall log).

Yes, I realize this is to test firewalls, but this also has to do with the
browser. The fact that Firefox can be used to send and receive data without the
end-user ever knowing about it can prove to be a critical security risk. Here's
what I think should be done:

If an external application attempts to use Firefox, the user should be made
aware of it by Firefox itself; and given the option to allow the data to go
through, or to refuse it (not by any kind of firewall (which wouldn't be able to
detect it most likely anyways)). If the user refuses the data to be sent, then
Firefox should do nothing at all. Else, allow the data to go through, obviously.

That test is just showing how a browser can be hijacked, and someone could no
nothing about it at all, and this can be a security problem, so the user needs
to be made aware of an external application using Firefox, and be given a choice
as to what should happen with the data.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Invalid.  Firefox is a web browser, not an operating system.  If you want your
applications to be protected from each other, you'll have to find an operating
system (not a personal firewall or set of applications) that provides that
protection.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Whiteboard: [sg:nse]
You need to log in before you can comment on or make changes to this bug.