Why is this website trying to connect to some of my bookmarks?
October 28, 2007 11:56 AM   Subscribe

Visiting a website forces firefox to try to make several HTTPS connections to websites in my bookmarks.

Okay, this is slightly embarrassing but my curiosity and paranoia are stronger so I must ask:

While strolling through the interwebs, I happened upon a website with pictures of pretty girls. Nothing depraved, just pretty girls, 90% non-nude but for the sake of everyone here let's say NSFW.

Clicking on one of the pictures to see a larger view set off my newly installed firewall, notifying me of several HTTPS connection attempts to websites in my bookmarks, including:

Vanguard (banking)
FNBO Direct (banking)

What!? Obviously the banking stuff makes me nervous.

Anyone know how it's pulling these from my bookmarks and the security problems going on here?

I'm a former XP user, so I understand the dangers of spyware/trojans/etc... but the odd thing is I'm on OS X, using Firefox.

More info you might ask:

-These bookmarks aren't placed near each other in my bookmarks (different folders), yet they are all HTTPS.
-It's always the same websites each time I close firefox and try to reload the website, not random ones.
-Using Firefox on a fully patched OS X 10.4.10
-Firewall is Little Snitch (there's a free demo of version 2.0 until Nov 17)

Here's a link to the website, NSFW and please take your own firewall precautions.
posted by anonymous to Computers & Internet (8 answers total)
It's known as "cross site scripting".
posted by Steven C. Den Beste at 12:02 PM on October 28, 2007

I would bet that this is CSRF instead of XSS, but I'm just nitpicking.

This is still one site trying to screw you over and steal your money/information. And it doesn't matter what OS you are using. mac, linux, freebsd, whatever, it doesn't matter since this attack just involves stuff in your web browser. The attack is just hoping that you didn't click the logout button from your bank website and the authentification cookies are still valid. If they are, the attacking site makes a request to your bank, and your web browser will attached the auth cookies to the request and perform the action requested.

This is the reason that you should always click logout, and that many sites have the timeout to log you off. Also, a good idea to clear out your cookies before you go browse any slightly questionable parts of the web, though that isn't complete protection.
posted by recursion at 2:59 PM on October 28, 2007

No need to panic monger, the chances of it hitting on exactly that list of sites randomly is tiny, and if there was a browser bug allowing the site access to your bookmarks you'd have heard about it.

The most likely explanation is that your browser is loading the favicons for your bookmarks (the little pictures that show up next to the URL), and your software firewall is configured to alert you about https but not http, so only the "secure" sites show up in the warning.
posted by fvw at 3:00 PM on October 28, 2007

fvw, I don't know why the favicons would all be loaded when you visit this specific site. I'd think you'd see it either loading everything at random times, or only loading for the sites you visit. The original post makes it sound like the connections happen only when he looks at a specific page.

anon, you might try removing one of the site that it looks at from your bookmarks and trying again. If it stops trying that site, it would seem to be your bookmarks that it is looking at. If not, it is more likely that it just happens to be trying sites that you have bookmarked.
posted by recursion at 3:21 PM on October 28, 2007

The best habit to get into is this: whenever you visit a secure site, especially one that has access to your money, then when you are through kill your browser session. Terminate the program.

Then start another one before you visit anything else.
posted by Steven C. Den Beste at 3:27 PM on October 28, 2007

Comes up safe in McAfee SiteAdvisor. That's not a 100% guarantee, but the site has also been around since 1999, so it's not some fly-by-night operation.

I would scan your system with a different virus checker than you usually use, and Ad-Aware as well. You probably picked up a BHO somewhere.
posted by dhartung at 5:20 PM on October 28, 2007

Hmm, was going to recommend NoScript, (http://noscript.net/) but I see you're a Mac user. Can anyone confirm whether or not NoScript is useful for Macs?
posted by aeschenkarnos at 6:29 PM on October 28, 2007

NoScript is definitely useful for Macs. Like all Firefox extensions (at least all that I'm aware of), it's platform-agnostic.

Although it's somewhat less likely that you'll pick up a trojan or rootkit on a Mac, you're still vulnerable to CSRF and CSS attacks. NoScript is the easiest way to prevent them.

(NoScript blocks all JavaScript except on whitelisted pages, but gives you the ability to temporarily enable it on any page when you need it. Very nice -- I use it everwhere and recommend it to everyone.)
posted by Kadin2048 at 10:11 PM on October 28, 2007

« Older What's a fair price to pay for a broken dryer...   |   How do I write this paper: [Blank's] effect on... Newer »
This thread is closed to new comments.