Open Bug 523095 Opened 10 years ago Updated 3 months ago

after a Google search leading to a trojan website, Firefox preloads the harmful website anyway

Categories

(Toolkit :: Safe Browsing, defect, P3)

defect

Tracking

()

UNCONFIRMED

People

(Reporter: informfr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: tp-leak)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

After a Google search leading to a web site containing a trojan, Firefox preloads the harmful page, causing a warning by avast, while Google warns against following the link!

I don't know if the code would have been executed without the anti-virus, but this is quite alarming anyway.


Reproducible: Always

Steps to Reproduce:
1. check that you have avast up-to-date (or a good protection)
2. in google, search for bavisoft

Actual Results:  
google says the first link is potentially harmful, and yet avast gives a warning about a trojan

Expected Results:  
Firefox shouldn't preload this link
Hmm, do we tie the URL classifier into link prefetching or DNS prefetching at all?
Group: core-security
Severity: critical → normal
Component: Security → Phishing Protection
OS: Windows XP → All
QA Contact: firefox → phishing.protection
Hardware: x86 → All
Maybe Google should not let Firefox prefetch such sites if they already detected it as harmful. The page will only land in the cache and that should not be a security issue.

It would be a security hole in Firefox if FF would allow to run any code from any page with the local system rights, the prefetch doesn't matter.
maybe the behavior is shifting.  it looks like going directly to the site gets the firefox malware detection feature, and navigating to the site from search results gets a different behavior.

clicking on the search result page link for "this site may harm your computer" gets

http://www.google.com/support/websearch/bin/answer.py?answer=45449&topic=360&hl=en&ei=m4dcsoo6cjdusgpyolsxcq&sa=x&oi=malwarewarninglink&resnum=1&ct=help/?sa=X&ei=M4DcSoO6CJDUsgPYoLSxCQ&ved=0CAcQ2gEwAA

clicking on the link for the site gets
http://www.google.com/interstitial?url=http://www.bavisoft.com/


going directly to http://www.bavisoft.com/ gets the safebrowsing page.

"...  Reported Attack Site
This web site at www.bavisoft.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners."

is that what you saw earlier?
>is that what you saw earlier?

This bug is about the prefetching of links that Firefox is doing if I understand the issue right.
( https://developer.mozilla.org/en/Link_prefetching_FAQ ) 

Google enables the link prefetching for the first (?) search result (AFAIK) and that causes Firefox to download the page already in the cache without a user click.
This downloaded files in the cache are found by the avast AV on the reporters system and the reporter got an alert before he clicked the link.

Another possibility is that google don't do link prefetching for reported sites even if they are #1 result but Firefox is doing DNS prefetching and the AVAST alerts because of the DNS request but I think this is unlikely.
I don't see a <link rel=prefetch href="..."> when I search for 'bavisoft' (should be present just before the link of the first search result). I don't know if Google didn't include it because it's on the black list, since I can see the link on some pages (search for 'antwerp'), and not on other pages (search for 'antwerpen'). I don't really understand why.

Note that http://www.bavisoft.com is also present in urlclassifier3 database (red larry), it might be a good idea to check that before prefetching a link, if this would be a problem. But I think it's easier for Google to prevent the prefetch link in their search page in this case.

Note that prefetching such a page isn't really dangerous for the user, the content will only be placed in the cache (which might trigger your AV).
I cannot reproduce the bug anymore. Maybe Google have done something.

(About the prefetch, I don't know if the problem is related, but I have been noticing that the first link in "Google results" often installs cookies from the corresponding website without having to click on it.)
(In reply to comment #6)
> (About the prefetch, I don't know if the problem is related, but I have been
> noticing that the first link in "Google results" often installs cookies from
> the corresponding website without having to click on it.)

bug 405811
Product: Firefox → Toolkit
Blocks: 1207775
Priority: -- → P5
Priority: P5 → P3
Whiteboard: tp-leak
You need to log in before you can comment on or make changes to this bug.