[INVALID] Browser hijacked by fake verison of NoScript?

Ask for help about NoScript, no registration needed to post
Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

[INVALID] Browser hijacked by fake verison of NoScript?

Post by Waybie » Sat Oct 03, 2020 8:47 pm

My browser (Firefox) has been hijacked and Google search redirects to a spoof site. After a lot of testing, I realized that NoScript was causing this, and as soon as I turn off NoScript, the hijack disappears.

I also noticed that the same problem occurs in my two main browser profiles, but it does not occur on my third browser profile - that profile also has NoScript installed, and they all say they are version 11.0.46.

After checking, I noticed some differences between the 'clean' NoScript and the others - the 'clean' one says last updated Sept 21st, and has a "Release Notes" tab. While the dangerous version says last updated Sept 30th and has no "Release notes" tab.

I'm guessing this is some kind of fake/hacked verison of NoScript. Firefox thinks it's the genuine version because when I try to install the real NoScript, the button says "Activate" rather than "Install".

I have no idea how this happened, how to proceed, or how serious this is. Any suggestions?
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Browser hijacked by fake verison of NoScript?

Post by Giorgio Maone » Sat Oct 03, 2020 10:07 pm

NoScript's XPI package, like any other Firefox extension, is signed by Mozilla on each release.
Therefore all the "{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi" files, that you can find in the "extensions" directory in each Firefox profile, must be identical (not necessarily the file name, but the content, byte per byte) to the one you can download from addons.mozilla.org.
If one is not, it's a fake.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Browser hijacked by fake verison of NoScript?

Post by Waybie » Sun Oct 04, 2020 11:07 am

Hmmm. I've checked and the two xpi's are identical in size (599,495 bytes)

Perhaps I could somehow send you the xpi file causing the problem and you could see what you think of it? Please let me know how.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09

Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Browser hijacked by fake verison of NoScript?

Post by Waybie » Sun Oct 04, 2020 11:36 am

I've just tried uninstalling and reinstalling NoScript, but still have the same problem whenever it's turned on, and "Release notes" tab is still missing.

So I think there are 3 possibilities…

1. I'm using the real, official xpi, which contains malware
(I can rule this out if NoScript SHOULD have a "Release notes" tab)

2. The xpi is being infected/switched somehow during the download/installation process
(I can rule this out if you can confirm the authenticity of my xpi file?)

3. I have some kind of malware installed which depends on NoScript to run
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Browser hijacked by fake verison of NoScript?

Post by Giorgio Maone » Sun Oct 04, 2020 2:11 pm

Waybie wrote:
Sat Oct 03, 2020 8:47 pm
My browser (Firefox) has been hijacked and Google search redirects to a spoof site. After a lot of testing, I realized that NoScript was causing this, and as soon as I turn off NoScript, the hijack disappears.
I've got a better theory. Might it be that whatever malware you've got installed, NoScript's presence (e.g. disabling some of the scripts it relies upon to stay stealthy) make its activity more visible (i.e. redirecting to a different site rather than exfiltrating data or mining bitcoins or whatever in a stealthier way?)
Of course this is impossible to investigate properly without knowing further details, like which other extensions you've got installed, how do you begin those searches and what's the spoof destination of them.
Also you could check whether disabling JavaScript by other means (about:confg > javascript.enabled -> false) produces similar effects.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Browser hijacked by fake verison of NoScript?

Post by Waybie » Sun Oct 04, 2020 5:33 pm

OK… I have an update on this.

First of all, you were correct! Disabling javascript does indeed force the "fake" Google page to appear! So this definitely has nothing to do with NoScript!

However, something has just occurred to me, and if I'm right then I am a complete and total idiot…

I notice that somehow I had www.google.com disabled in my NoScript settings, meaning that Google itself could not use javascript. Now since this "fake" page appears anytime javascript is disabled… could what I'm seeing just be Google's non-javascript alternative?

Is that what other people see when Javascript is off?:

Image

To me, this looks absolutely nothing like the real Google, virtually everything about it is different and odd looking. It even uses the green URLs which Google scrapped months ago. Plus, I'm used to Google's non-javascript alternative and this definitely isn't it.

I really hope you will tell me that I'm a complete and total idiot, and this is just Google's normal non-javascript page! That would be a relief! :lol:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Browser hijacked by fake verison of NoScript?

Post by Giorgio Maone » Sun Oct 04, 2020 6:47 pm

Waybie wrote:
Sun Oct 04, 2020 5:33 pm
I really hope you will tell me that I'm a complete and total idiot, and this is just Google's normal non-javascript page! That would be a relief! :lol:
Yes it is :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0

Waybie
Posts: 8
Joined: Fri May 15, 2020 1:08 pm

Re: Browser hijacked by fake verison of NoScript?

Post by Waybie » Sun Oct 04, 2020 10:00 pm

Ah, what a relief! Thanks so much, and really sorry to trouble you! (Thanks also for the strikethrough!) :)
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36/8mqQhSuL-09

Post Reply