Skip to main content

Firefox 33 to introduce better search hijacking protection

Mozilla plans to improve user protection against unwanted search engine manipulations in Firefox by changing the way search engine information are stored in the browser.

Firefox users have to cope with unwanted changes made to the browser more than other users. When it comes to unwanted add-on and toolbar installations, and changes made to the homepage or search provider, it is Firefox that is affected the most by it.

There are several reasons for that, one being that it is easy enough to manipulate certain preferences to modify homepage or search engine values.

Search hijacking is a big issue right now. This usually happens during the installation of programs that ship with adware offers. If you are not careful, you may end up with a different search provider that is used for all browser searches from that moment on.

While it is easy enough to switch back if you know how to, it can be a very frustrating experience, especially if the change is made regularly by a program running in the background.

Mozilla plans to improve user protection against search hijacking in several ways in the near future. One effort will be integrated into Firefox 33.

The preference browser.search.selectedEngine, which is currently being used to determine the default search engine in Firefox, will be removed as a consequence.

The value of the preference will be saved in the file search-metadata.json instead which is stored in the user's profile directory. Since it would be relatively easy to replace that file, a hash is added to it as well which is generated from the profile directory name.

This way companies cannot just replace the file with their own copy as the hash won't match. While there may be options to get around this, for instance by generating the hash as well, it is improving protection nevertheless.

firefox search hijack protection

So what is happening if a program tries to change the default search provider in Firefox 33 or newer? The change is blocked. I installed the Ask Toolbar on my system and explicitly allowed it to change the default search provider. While the installation went fine, the search provider was not changed.

The most likely explanation is that it was not changed because it tried to modify the preference browser.search.selectedEngine which is not in use anymore.

Mozilla plans to make additional changes to improve the user experience further. Search engines added by add-ons will for instance be removed automatically if the add-on gets uninstalled in Firefox, and new guidelines will be added to make search engine changes using an API which in turn displays a notification to the user if the change should be made.

Drawbacks

The change will benefit users who run into troubles regularly in regards to third-party initiated changes of the browser's default search provider.

The change introduces on major drawback, as it won't be possible anymore to sync the selected search engine with other installations.

Search engines will still get synchronized if Firefox Sync is enabled, but it is up to the user to change the default search engine manually on all systems manually.

The second drawback is that programs won't be able to change the search engine anymore even if the user wants that to happen.

There are not any statistics for this and I think it is unlikely that many users want those changes to happen on their system but there may be some who do.

Conclusion

Mozilla has to do something about unwanted changes made to the configuration of the Firefox browser. It is unclear if the new way of storing the default search engine will be sufficient, or it if will only provide users with temporary protection until companies find a way to manipulate the search engine again.

The feature is already integrated in the most recent Nightly versions of Firefox. Mozilla plans to ship it with Firefox 33.

This article was first seen on ComTek's "TekBits" Technology News

HOME