Closed Bug 636780 Opened 9 years ago Closed 9 years ago

A user reported that bank website(s) are being hijacked in Firefox ("XULRunner 1.9.1")

Categories

(Firefox :: Security, defect, blocker)

3.6 Branch
x86
Windows XP
defect
Not set
blocker

Tracking

()

RESOLVED DUPLICATE of bug 660924

People

(Reporter: zzxc, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

A user on SUMO reported an overlay on chase.com, seemingly due to spyware or a rogue add-on.  Unfortunately he broke off contact before I could get more information.  Due to the potential seriousness of this issue, I'm filing a bug so it can be investigated.

Upon logging into chase.com with Firefox, this user experienced an overlay asking for information such as ATM pin and mother's maiden name.  Chase confirmed to this user that they don't ask such information on their website.  The user's about:support paste and screenshot are attached.
Attached image Screenshot from user
That looks bad.  There's not a ton of info to go off of though.. the session appears to be HTTPS so would make a network MITM unlikely, and the list of extensions looks fairly sane.  All I can think of ATM is they they have a pretty sophisticated malware infection.
Listed extension:
        XULRunner
        1.9.1
        true
        {8A2CE462-E1B4-49A3-A24B-6D3D67525A06}

The thing Mozilla calls "XULRunner" is not an add-on and would never show up in this list, but it's a clever plausible disguise. This is known malware (uses random GUIDs so we can't block it). Removing this isn't going to clean up the users machine, usually it's just secondary malware (and IE will be infected with an equivalent BHO).

It's too bad about:support doesn't list plugins. From the Java Console I'd guess they have a very old version of Java installed, and java hacks are common in exploit toolkits. If Java is old maybe Flash and Acrobat/Reader are old, and attacks on those are common, too.

Prefs:
  security.enable_ssl2   true

None of the ssl2 cipher prefs are enabled so it's not going to actually work, therefore I'm guessing this is an old profile from back in the days when there was only the global protocol pref.
Thanks for the analysis.  Since the result in this case is really bad, is there anything we can do to reduce the exposure of Firefox users infected with this malware, given that its effects are much worse than most?  (eg. any third party servers the "XULRunner" add-on is injecting into pages or sending data to could be blocked as attack sites)
If we find out what extension or whatever is causing this we could look into block that extension or whatever's causing this.
(In reply to comment #7)
> If we find out what extension or whatever is causing this we could look into
> block that extension or whatever's causing this.

If the xulrunner extension is the cause, it can't be blocklisted with a random uuid unless a capability is added for blocklisting by name.  Blocking whichever server(s) the add-on is injecting into pages would mitigate the issue, though.

I'll try to get a sanitized profile from a user, if I find another reporting a similar problem, so we can try to reproduce.
Group: core-security
> If the xulrunner extension is the cause, it can't be blocklisted with a
> random uuid unless a capability is added for blocklisting by name.

...and blocking by name will simply lead to random names.
I've found several thread on Sumo that may be related to this issue. http://support.mozilla.com/en-US/questions/808836 shows a user showing similar fake/rogue addon. If there were a way to get in contact with these users, without violating the privacy policy, I'm sure we could find out where it came from/how they got it.
Summary: A user reported that bank website(s) are being hijacked in Firefox → A user reported that bank website(s) are being hijacked in Firefox ("XULRunner 1.9.1")
Bug 660924 is the same issue. Can someone merge these two or something?
Seems like bug 660924 has the most recent and most valuable information so duping this one to that one.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 660924
You need to log in before you can comment on or make changes to this bug.