Open
Bug 523095
Opened 15 years ago
Updated 9 months ago
after a Google search leading to a trojan website, Firefox preloads the harmful website anyway
Categories
(Toolkit :: Safe Browsing, defect, P3)
Toolkit
Safe Browsing
Tracking
()
UNCONFIRMED
People
(Reporter: informfr, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: tp-leak)
Attachments
(12 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
After a Google search leading to a web site containing a trojan, Firefox preloads the harmful page, causing a warning by avast, while Google warns against following the link!
I don't know if the code would have been executed without the anti-virus, but this is quite alarming anyway.
Reproducible: Always
Steps to Reproduce:
1. check that you have avast up-to-date (or a good protection)
2. in google, search for bavisoft
Actual Results:
google says the first link is potentially harmful, and yet avast gives a warning about a trojan
Expected Results:
Firefox shouldn't preload this link
|
||
Comment 1•15 years ago
|
||
Hmm, do we tie the URL classifier into link prefetching or DNS prefetching at all?
Group: core-security
Severity: critical → normal
Component: Security → Phishing Protection
OS: Windows XP → All
QA Contact: firefox → phishing.protection
Hardware: x86 → All
|
||
Comment 2•15 years ago
|
||
Maybe Google should not let Firefox prefetch such sites if they already detected it as harmful. The page will only land in the cache and that should not be a security issue.
It would be a security hole in Firefox if FF would allow to run any code from any page with the local system rights, the prefetch doesn't matter.
|
||
Comment 3•15 years ago
|
||
maybe the behavior is shifting. it looks like going directly to the site gets the firefox malware detection feature, and navigating to the site from search results gets a different behavior.
clicking on the search result page link for "this site may harm your computer" gets
http://www.google.com/support/websearch/bin/answer.py?answer=45449&topic=360&hl=en&ei=m4dcsoo6cjdusgpyolsxcq&sa=x&oi=malwarewarninglink&resnum=1&ct=help/?sa=X&ei=M4DcSoO6CJDUsgPYoLSxCQ&ved=0CAcQ2gEwAA
clicking on the link for the site gets
http://www.google.com/interstitial?url=http://www.bavisoft.com/
going directly to http://www.bavisoft.com/ gets the safebrowsing page.
"... Reported Attack Site
This web site at www.bavisoft.com has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners."
is that what you saw earlier?
|
|
||
Comment 4•15 years ago
|
||
>is that what you saw earlier?
This bug is about the prefetching of links that Firefox is doing if I understand the issue right.
( https://developer.mozilla.org/en/Link_prefetching_FAQ )
Google enables the link prefetching for the first (?) search result (AFAIK) and that causes Firefox to download the page already in the cache without a user click.
This downloaded files in the cache are found by the avast AV on the reporters system and the reporter got an alert before he clicked the link.
Another possibility is that google don't do link prefetching for reported sites even if they are #1 result but Firefox is doing DNS prefetching and the AVAST alerts because of the DNS request but I think this is unlikely.
|
||
Comment 5•15 years ago
|
||
I don't see a <link rel=prefetch href="..."> when I search for 'bavisoft' (should be present just before the link of the first search result). I don't know if Google didn't include it because it's on the black list, since I can see the link on some pages (search for 'antwerp'), and not on other pages (search for 'antwerpen'). I don't really understand why.
Note that http://www.bavisoft.com is also present in urlclassifier3 database (red larry), it might be a good idea to check that before prefetching a link, if this would be a problem. But I think it's easier for Google to prevent the prefetch link in their search page in this case.
Note that prefetching such a page isn't really dangerous for the user, the content will only be placed in the cache (which might trigger your AV).
I cannot reproduce the bug anymore. Maybe Google have done something.
(About the prefetch, I don't know if the problem is related, but I have been noticing that the first link in "Google results" often installs cookies from the corresponding website without having to click on it.)
|
|
||
Comment 7•15 years ago
|
||
(In reply to comment #6)
> (About the prefetch, I don't know if the problem is related, but I have been
> noticing that the first link in "Google results" often installs cookies from
> the corresponding website without having to click on it.)
bug 405811
|
Assignee | |
Updated•11 years ago
|
Product: Firefox → Toolkit
|
||
Updated•9 years ago
|
Priority: P5 → P3
|
|
||
Updated•7 years ago
|
Whiteboard: tp-leak
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 10•2 years ago
|
||
|
|
||
Comment 11•2 years ago
|
||
|
|
||
Comment 12•2 years ago
|
||
|
|
||
Comment 13•2 years ago
|
||
|
|
||
Comment 14•2 years ago
|
||
|
|
||
Comment 15•2 years ago
|
||
|
|
||
Comment 16•2 years ago
|
||
|
|
||
Comment 17•2 years ago
|
||
|
|
||
Comment 18•2 years ago
|
||
|
|
||
Comment 19•2 years ago
|
||
|
||
Comment 20•2 years ago
|
||
The content of attachment 9332125 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 21•2 years ago
|
||
The content of attachment 9332126 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 22•2 years ago
|
||
The content of attachment 9332127 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 23•2 years ago
|
||
The content of attachment 9332128 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 24•2 years ago
|
||
The content of attachment 9332129 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 25•2 years ago
|
||
The content of attachment 9332130 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 26•2 years ago
|
||
The content of attachment 9332133 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 27•2 years ago
|
||
The content of attachment 9332134 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 28•2 years ago
|
||
The content of attachment 9332135 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 29•2 years ago
|
||
The content of attachment 9332136 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 30•2 years ago
|
||
The content of attachment 9332137 [details] has been deleted for the following reason:
Abuse
|
|
||
Comment 31•2 years ago
|
||
The content of attachment 9332138 [details] has been deleted for the following reason:
Abuse
You need to log in
before you can comment on or make changes to this bug.
Description
•