[Compilation]Discussions about searches on Bing redirecting to http://ysrcunow.com/

leocg

leocg Moderator Volunteer last edited by

[Compilation]Discussions about searches on Bing redirecting to http://ysrcunow.com/

kevinro

kevinro last edited by

I'm using Bing as my default search engine.
When searching for something directly from the address bar, Opera initiates a weird redirect towards a page ysrcunow.com that appears as infected.
The same applies with right click -> Search.
All the other built-in search engines are behaving ok, the only one with this problem is Bing.
I found out only a thread on Reddit discussing this problem, that seems to be very recent: https://www.reddit.com/r/operabrowser/comments/177cqst/did_opera_for_mac_add_a_redirect_to_trovi_for/
Oh, and all the other browsers are behaving fine. Bing itself is behaving fine if directly accessed.
So it's something related to something built-in in Opera Browser.
I'm using the most recent browser 104.0.4944.33

leocg

leocg Moderator Volunteer @kevinro last edited by

@kevinro As said, disable all extensions and check your system for malware.

kevinro

kevinro @leocg last edited by

@leocg I don't have extensions. The only extension is the built-in ad blocker.

My antivirus is always "on".

As I said, it's something from the Opera Browser itself. I found it in the file C: > User > [USER] > AppData > Local > Programs > Opera > 104.0.4944.33 > resources > default_partner_content.json

It should be written "bing" and only "bing", I don't understand what is that "_attributed_ysrcunow" and I don't want it.

kevinro

kevinro last edited by

And this one (in the same file). It's obviously something from the latest instalation kit. It is activated only on certain languages/countries. Other countries can use "bing" normally.

I tried to modify the file, but it is impossible, the browser doesn't work anymore.

kevinro

kevinro last edited by

Threads are starting to popup on Reddit: https://www.reddit.com/r/OperaGX/comments/17gsdok/gx_redirecting_to_ysrcunowcom_for_bing_searches/

kevinro

kevinro last edited by

My antivirus (AVG) is blocking the URL. I just put an exception rule on it (because, honestly, it looks like a false positive, the website is harmless) and now everything is fine, but this is not normal.

blackbird71

blackbird71 last edited by

As a matter of security, I would treat with high suspicion anything which a user did not install directly that redirects their web searches. There simply is too much chance for abuse via manipulation/malware/privacy-invasion by the routine redirection of searches through 3rd-parties, especially virtually-unknown ones like this. If this is by design on Opera's part (which is implied by its presence in the default_partner_content.json file of multiple users), Opera ought to provide users with a clear explanation of what is going on and why. If it's not by design, an explanation of how it's getting into that .json file should be provided by Opera.

myswtest

myswtest last edited by myswtest

Hi @kevinro ...

I run a Linux OS, openSuse Tumbleweed, and have Opera installed:
(Opera One 104.0.4944.33, Stable,
Freedesktop.org SDK 22.08 (Flatpak), Chromium version:118.0.5993.96).

I did a global search for the filename in my home sub-dir.

:~> find . -name default_partner_content* -ls

It found three occurrences of the file, in various Opera sub-directories. Only one of those three files had the entry
(71 occurrences!):

"bing_attributed_ysrcunow",

And the URL:

"search_url": "https://ysrcunow.com/results.aspx?gd=RD1003896&searchsource=58&q={searchTerms}",

A quick Google search revealed about 4-5 websites, showing a low rating of that URL, plus the Reddit thread.

Somewhat disturbing, indeed !! Thanks for posting

burnout426

burnout426 Volunteer @blackbird71 last edited by

@blackbird71 said in Weird redirect towards an infected page:

If this is by design on Opera's part (which is implied by its presence in the default_partner_content.json file of multiple users), Opera ought to provide users with a clear explanation of what is going on and why.

I asked Opera. It's indeed legit, intentional and by design. The redirect is so https://ysrcunow.com/ gets credit for Bing searches. https://ysrcunow.com/ must be a partner now or something.

myswtest

myswtest last edited by

So I've spent time experimenting with different options for a fix for this issue.

Ultimately, this is the easiest and most reasonable. Of course it means you'll have to apply this change to all machines you have Opera on. This easy fix will help those who are concerned with this.

So on all OSes, there is a config file named: "hosts". On Unix style OSes (like Linux), it's path is:
/etc/hosts

On Windows OSes, the path is:
c:\Windows\System32\Drivers\etc\hosts

You have to be the root user to edit it. Open the file in your favorite text editor, and append this line:
0.0.0.0 ysrcunow.com

Basically, your browsers and such need to resolve the spelled-out-website-name into an IP numerical address, and then it reaches out to the website using that value. The first thing it does is look in the "hosts" file for the numerical address - if found, it uses it ... otherwise, it reaches out to the your DNS server (like a phonebook of the Internet) for the translation.

Basically, the address "0.0.0.0" is a dead address, ie, it resolves to "nothing", so your browser will NOT be directed to the actual website.

That's it. Good luck to all. I will post this here, and to another thread regarding this concern. The user leocg will probably comment, but doesn't matter. I've also seen this person posting out to a Reddit thread (with a slightly different username, but similar pattern: gomesleo).

(Sidenote: FWIW, I'm a software engineer with 35+ years experience (now retired ... I'm also a published author of four computer books), and spent quite a while with the security team. This is very questionable. After I'm done posting, I will be gone from this forum, and will uninstall Opera from all four of my machines, and will pass on the info to many others).

BlindRock

BlindRock last edited by

The Bing search redirects queries to a site called Trovi (ysrcunow.com), which appears to be located in Israel. This is not a compromised browser since we observe the same behavior in a fresh installation on a new computer. Several individuals are discussing this issue in your forums, but there is no confirmation that this behavior is intentional on the part of Opera.

I find this behavior suspicious, and it has raised concerns among several security agents, firewall, antivirus, etc. Could there be a malicious configuration in your product?

BlindRock

BlindRock @myswtest last edited by

@myswtest Unfortunately, I just tested your suggestion on a Windows workstation in an environment protected by a FortiGate, and I'm still getting the blocking message for yscunow.com by using the query 'b this'.

FWIW I am a sysadmin for nearly 22 years, but I'm not retired yet. You are a lucky one!

burnout426

burnout426 Volunteer last edited by

Update from Opera Security team: https://forums.opera.com/post/332280

BlindRock

BlindRock @burnout426 last edited by BlindRock

@burnout426 I have just test it again today on a Windows workstation in an environment protected by a FortiGate and I can confim the the behavior is gone.

Bing search is fine while ysrcunow.com is stil blocked.

Thanks to the security team!

Denizen976

Denizen976 @myswtest last edited by leocg

@myswtest I haven't mucked about in hosts in a long, long while...
After reading your post, my first thought was "why not just use Hosts to redirect yscunow to Bing - but then I wondered if that would set up a loop... "Bing.com -> yscunow -> bing.com -> Yscunow -> No_i_said_bing.com!! -> Yeah_but_yscunow!..." [plus, you'd have to have an IP for Bing, and that's probably not going to be a simple static IP...]

I'm concerned as to where, exactly, the substitution is being done.

If they (Opera) are snatching your URL request and replacing it, that's really not kosher., and I would be really pissed off at this behaviour.

If it's being done through some config/JSON files, at least that would be something we could look at, and maybe figure out and play Hobb with - only slightly better than it all being done behind the curtain.

Both are considered borderline evil, in my book.

BlindRock

BlindRock @Denizen976 last edited by

@denizen976 The issue with your suggestion would cause a certificate problem. As the destination yscunow would be redirected to bing.com, the browser would not appreciate receiving a certificate with the wrong domain name.

But, as I mentioned earlier, Opera's security team has removed this redirection.

The problem is solved.

Denizen976

Denizen976 @BlindRock last edited by leocg

@blindrock Yes, the "current issue" is "solved".
What hasn't been solved is:
Where was this initiated?
Why was it initiated?

Maybe I'm just not seeing the underlying problem? But I think it's pretty straightfoward:
"When searching for something directly from the address bar, ..."
If the user types in Bing.com, and Opera redirects to ysrcunow that is a serious breach of trust.
The user does not appreciate receiving the wrong domain name.

My solution wouldn't be a problem with certificates, because it would just be in the hosts file. But, my solution wouldn't work, because (AFAIK), you can't ricochet host name to host name in the hosts file, just host name to IP.

While they say it's fixed, the larger questions still loom.

FosterWest

FosterWest Banned last edited by

Thanks for advice!

FosterWest

FosterWest Banned last edited by This post is deleted!