Invalid URL redirected to google! Allows google to index potentially sensitive internal information!!!

VERIFIED DUPLICATE of bug 517736

Status

()

Firefox
Address Bar
VERIFIED DUPLICATE of bug 517736
8 years ago
a year ago

People

(Reporter: Dietmar May, Unassigned)

Tracking

3.6 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

If an invalid URL is typed in the address bar, the search is redirected to google. That's the WORST THING it could do! Suppose the URL has information about a company's internal network, including host names, port numbers, and even passwords! (OK, it's generally a bad idea to include a password in a URL, but ...) From behind a firewall, that information is protected. Even on the internet, the encrypted connection is negotiated before the parameter (eg. directory) information in the URL is passed to the server. But firefox bypasses that firewall protection, and SENDS PRIVATE INFORMATION STRAIGHT TO google, who is happy to then include that in public search results for the whole world!!!!!

IE 6 doesn't do that.

I've checked all the settings I can see, and can't find an option that resolves this. I believe there was an about:settings mode before, but that doesn't work. prefs.js doesn't seem to have a flag to change this behavior. And if it were (made) configurable, the default should NOT be to search from the address bar. There's a search toolbar for that!

This is the worst possible behavior, a major security hole, and enough of a flaw that I've just abandoned firefox as my corporate browser, have very reluctantly switched back to IE, and will be sending this to our IT department for review.

Reproducible: Always

Steps to Reproduce:
Type the specified URL (or any invalid text) into the address bar.
Actual Results:  
Firefox sends the URL straight to google, which reports:

Your search - Invalid URL not found https://abc.de.server.snooper.com:1234/abc/def/yakko?SNARF=GO - did not match any documents.

Suggestions:

    * Make sure all words are spelled correctly.
    * Try different keywords.
    * Try more general keywords.
    * Try fewer keywords.

Expected Results:  
HTTP Error 404 - URL not found; or some polite version, perhaps which pops up a search page that - WITHOUT SENDING ANYTHING TO GOOGLE - populates an edit field with the URL text and politely offers the user the opportunity to search, if they want.
This feature is very old and IE is doing the same with the default configuration.
(win7 and IE8)
http://support.mozilla.com/en-US/kb/Location+bar+search explains it for Firefox.
Why do you don't disable this feature if you don't like it ?

Updated

8 years ago
Severity: critical → normal
Component: Security → Location Bar
QA Contact: firefox → location.bar
Version: unspecified → 3.6 Branch
(Reporter)

Comment 2

8 years ago
Why does Firefox enable this feature by default? And why doesn't Firefox provide some mechanism other than about:config to change it?

This default behavior caused me to leak some sensitive internal corporate details to the planet's biggest search engine (the same folks who probably drove by your house in Germany and captured the mac address of your wireless router, along with a picture of your house, because they want to know everything that they can about you, so they can sell your profile). To me, it's an unacceptable risk to have invalid URLs forwarded to them by default. Maybe IE does this by default too; and maybe for 80% of the user base, it's not an issue. Maybe the corporate IT guys and gals in my company have already locked down IE so it doesn't behave like that. But I think Firefox is much better than IE. Now I'm afraid to use it at work.

I looked in all of the preferences for some security setting to turn this off. As far as I can see, such preference doesn't exist.

As for about:config, even though I knew this existed (at one time), I couldn't remember the URL. (Remembered it as about:settings, which is wrong - but why do I need to remember this syntax? why isn't there a link on the advanced preferences page?)

If Firefox would disable this by default and provide some user accessible switch to toggle it, I believe it would be a good option. Or, as I mentioned earlier, if it displayed a webpage that allowed the user to search if they wanted to ... perhaps it could be done with the keyword.URL setting.

Thank you for the link and the tip about disabling this feature.
>Allows google to index potentially sensitive internal information
Google can't index sensitive material just because of this feature.
Sensitive material would be protected by at least basic authentication.

The is the same stupid story as with the WLAN. It's funny that people are angry because someone (in this case google) stored information from an unprotected and unencrypted WLAN. 

The only thing that google can get are internal server names and document names.

PS: I don't like Google. I don't use gmail (only as backup), no google maps (openstreetmap is better).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 517736
(Reporter)

Comment 4

8 years ago
No, what google can get is username/passwords that are embedded in https URLs, and information about how an internal network may be structured. I think that's a serious security flaw.

Given that the duplicate bug is marked resolved won't fix, it seems that either the folks at Mozilla have absolutely no concern about their users' security, or they have no willingness to think through the issue and understand why it's a serious flaw, or they're simply unwilling to invest effort to fix security holes, preferring to create pretty toolbar backgrounds and other eyecandy instead of protecting their users. I hope none of those are the case.

In the meanwhile, NOW THAT I KNOW about the config setting the hard way, I've turned it off on my personal machine. For my corporate environment, I've just uninstalled Firefox, and have gone back to using Internet Explorer, as configured by my IT folks. And I really hate to have to do that.
(In reply to comment #4)
> Given that the duplicate bug is marked resolved won't fix, it seems that either
> the folks at Mozilla have absolutely no concern about their users' security, or
> they have no willingness to think through the issue and understand why it's a
> serious flaw, or they're simply unwilling to invest effort to fix security
> holes, preferring to create pretty toolbar backgrounds and other eyecandy
> instead of protecting their users. I hope none of those are the case.
...or they have a different perspective on how serious the "flaw" is...

Updated

8 years ago
Status: RESOLVED → VERIFIED

Comment 6

a year ago
This is a serious flaw: The default behavior is sending accidentally pasted text to any external site. It is common to make mistakes about what is in the clipboard. I have sensitive text X in the clipboard, such as a complete personal email, perhaps from half an hour ago, and I think I have copied text Y (a URL) to the clipboard, but for some reason this copy operation did not occur.  I paste to the address bar of Firefox and hit enter immediately - something I do dozens of times a day - and text X is sent to an external site.

If someone doesn't think this is a serious flaw, then what else would they need to be convinced of?

To make it worse, there is no normal UI method of disabling this behavior.

See my Bug 1346505 for how disabling this behavior with "about:config keyword.enabled = false" does not work if the text in the address bar contains, for instance, "google", even though Google is not in my list of search engine providers.
Sorry, but the fact you found an implementation bug, is not a good enough reason to comment in a 7 years old closed bug.
Comment hidden (admin)
You need to log in before you can comment on or make changes to this bug.