Phishing filter stops working for profiles which were created with a different locale

RESOLVED WONTFIX

Status

()

Toolkit
Safe Browsing
--
critical
RESOLVED WONTFIX
10 years ago
4 years ago

People

(Reporter: whimboo, Unassigned)

Tracking

({sec-low})

3.5 Branch
x86
Mac OS X
sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low], URL)

(Reporter)

Description

10 years ago
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; ja; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6 

While sitting on release testing I noticed in the l10n testruns in Litmus that the Phishing filter breaks for profiles which were created by another locale. The red alert box isn't displayed anymore and users will be redirected to the malicious page! There is no way to stop this behavior, unless you delete the urlclassifier3.sqlite file. After this step the Phishing filter starts working again. I did no further investigation yet and will run further tests on other platforms and for 1.9.1/1.9.2.

Here are the steps to reproduce the behavior:
1. Download the en-US build of Firefox 3.0.6 build1
2. Create a new profile with that locale
3. Start Firefox with that profile and wait until the urlclassifier3.sqlite is getting downloaded (for now I haven't done any timing tests)
4. Open http://www.mozilla.com/firefox/its-a-trap.html
=> Alert box is shown and user is protected by the filter

5. Download the fr build of Firefox 3.0.6 build1
6. Start the fr build with the profile created by the en-US build
7. Open http://www.mozilla.com/firefox/its-a-trap.html
=> No alert box is shown and user lands on the malicious webpage

8. Start the en-US build again with the same profile
9. Open http://www.mozilla.com/firefox/its-a-trap.html
=> Alert box is shown again

This could be a security issue. So flagging it as a security bug for now, as stated by Samuel.
Dave and I are investigating this.
(Reporter)

Comment 2

10 years ago
I run the same test with a latest nightly build on 1.9.1 and 1.9.2. Both versions are affected too.

Comment 3

10 years ago
Tested a bit, and it appears that Real phishing/malware pages are being blocked reliably, this seems to be specific to the test urls.
(Reporter)

Comment 4

10 years ago
Dave, do we have a list of pages somewhere I can easy access?
And this isn't a new issue either so we don't need to block 1.9.0.6 on it or
anything. The paranoid in me wanted it filed as security-sensitive, though
investigation seems to say we can probably open it. Let's keep it closed 'til
we're 100% sure.

Comment 6

10 years ago
That question is entirely too difficult to answer :/

If your profile has been around for long enough, ianfette.org is a good malware test that comes from the real server.

phistank.org generally has a good list of recent phishes, google usually has a few from the first page or two, I happened to find http://www.artdollmaking.com/PayPal.fr/
(Reporter)

Comment 7

10 years ago
(In reply to comment #6)
> If your profile has been around for long enough, ianfette.org is a good malware
> test that comes from the real server.

On that website I even don't get an alert which such a profile while it is working with the original locale.

> phistank.org generally has a good list of recent phishes

Mmh. This website cannot be found.

Comment 8

10 years ago
(In reply to comment #7)
> (In reply to comment #6)
> > If your profile has been around for long enough, ianfette.org is a good malware
> > test that comes from the real server.
> 
> On that website I even don't get an alert which such a profile while it is
> working with the original locale.

Yeah, might not have the complete phishing list yet.

> 
> > phistank.org generally has a good list of recent phishes
> Mmh. This website cannot be found.
phishtank.org
Whiteboard: [sg:low]
(Reporter)

Comment 9

9 years ago
So can we open this bug to public since it only affects our demonstration page?

Comment 10

6 years ago
(In reply to Henrik Skupin (:whimboo) from comment #9)
> So can we open this bug to public since it only affects our demonstration
> page?

I don't see any reason for this to be private any more.
Group: core-security
Closed during front end sg triage - this looks like it only impacted the test page, and also refers to an older implementation of the safebrowsing code.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
(Assignee)

Updated

4 years ago
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.