Closed Bug 580370 Opened 15 years ago Closed 15 years ago

Security Vulnerability in Search Override

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bugtracker, Unassigned)

Details

Attachments

(1 file)

Mozilla FF
5.03 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0C) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 GTB7.1 ( .NET CLR 3.5.30729; .NET4.0C) There seems to be a serious vulnerability in the search override in FF. When a vendor constructs a toolbar in which the toolbar is installed with bundled software, the search bar remains intact and functional. However, searching from the address-bar triggers an override where the browser can be navigated to any website address. This vulnerability was demonstrated when both Adobe, and Panda Security installed their toolbar bundle with their software. The toolbar seems to be created by Contribute. The search is directed to Yahoo without the users approval nor knowledge. The user is void of making any changes except a hard change to a file that is not publicly expressed to users, but seems to be allotted to vendors. The location is listed under |modified preferences|: keyword.URL http://search.yahoo.com/search?fr=panda&type=panda1_0yatb&p= . To pull up this information, on the file menu, go to Help>Troubleshooting Information>Modified Preferences I have noticed many complaints where users cannot find how the reset the original criteria. It cannot be reset, but this is the location to the modified information under Windows 7: Program Files>Mozilla Firefox>searchplugins Reproducible: Always Steps to Reproduce: 1.The Override is set by the vendor installation and code allotted by Mozilla. 2. 3. Actual Results: Initial search-bar remains unaltered. However, address-bar search will direct the user to the website coded by the vendor exploit. This website address can be any website address. Expected Results: The override cannot be altered by the Mozilla FF options nor preferences. Immediately, Mozilla will need to implement the same security protections as Microsoft has done with IE8. The security measure prevents unauthorized tampering or changes made to the browser without (administrator) approval. If Mozilla cannot accomplish this, the alternative will be to lock the browser down after browser installation.
Attached file Mozilla FF
Comment on attachment 458766 [details] Mozilla FF I apologize, the toolbar is created by Visicom Media and can be found at <http://software.visicommedia.com/en/> or <http://www.dynamictoolbar.com>. The toolbar is a bundled install the first time, but each time after that, the installation can be initiated and uninstalled manually.
3rd party software installed to your machine can change the configuration of your machine in many ways, and if actually malicious could do much worse than a minor affiliate search link change. There is not much practical defense Firefox or any other installed program can have against truly malicious software which limits the amount of defense worth taking in border-pushing cases such as this. I assume that when the toolbars are uninstalled, or disabled from the Firefox Add-ons dialog, that the keyword search change reverts back to the default (Google)? The behavior described would violate the "No Surprises" policy we enforce for Add-ons hosted at our own https://addons.mozilla.org site -- a policy we had to institute when various add-ons made similar kinds of search changes unrelated to the functionality of the add-on in an attempt to earn affiliate marketing money. The only thing that will prevent these kinds of slimy-but-not-illegal changes is social pressure. Complain to Panda that they are making unauthorized, unadvertised, and unwanted changes to your browser (it's their affiliate code, they're making money off this). If you're in the United States it might be worth firing off a complaint to the Federal Trade Commission (FTC) -- they'll investigate these kinds of practices if they get enough complaints. Definitely complain to Yahoo because this kind of install may violate the Terms of Service for their affiliate program. And finally, blog about it or write to tech publications who review the software and complain about the unwanted riders (and contribute a user review if that's an option). One voice may not cause a change, but the collective unhappiness of their customers will. Don't be silent.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: