[Compilation]Discussions about searches on Bing redirecting to http://ysrcunow.com/
-
kevinro last edited by
@leocg I don't have extensions. The only extension is the built-in ad blocker.
My antivirus is always "on".
As I said, it's something from the Opera Browser itself. I found it in the file C: > User > [USER] > AppData > Local > Programs > Opera > 104.0.4944.33 > resources > default_partner_content.json
It should be written "bing" and only "bing", I don't understand what is that "_attributed_ysrcunow" and I don't want it.
-
kevinro last edited by
And this one (in the same file). It's obviously something from the latest instalation kit. It is activated only on certain languages/countries. Other countries can use "bing" normally.
I tried to modify the file, but it is impossible, the browser doesn't work anymore.
-
kevinro last edited by
Threads are starting to popup on Reddit: https://www.reddit.com/r/OperaGX/comments/17gsdok/gx_redirecting_to_ysrcunowcom_for_bing_searches/
-
kevinro last edited by
My antivirus (AVG) is blocking the URL. I just put an exception rule on it (because, honestly, it looks like a false positive, the website is harmless) and now everything is fine, but this is not normal.
-
blackbird71 last edited by
As a matter of security, I would treat with high suspicion anything which a user did not install directly that redirects their web searches. There simply is too much chance for abuse via manipulation/malware/privacy-invasion by the routine redirection of searches through 3rd-parties, especially virtually-unknown ones like this. If this is by design on Opera's part (which is implied by its presence in the default_partner_content.json file of multiple users), Opera ought to provide users with a clear explanation of what is going on and why. If it's not by design, an explanation of how it's getting into that .json file should be provided by Opera.
-
myswtest last edited by myswtest
Hi @kevinro ...
I run a Linux OS, openSuse Tumbleweed, and have Opera installed:
(Opera One 104.0.4944.33, Stable,
Freedesktop.org SDK 22.08 (Flatpak), Chromium version:118.0.5993.96).I did a global search for the filename in my home sub-dir.
:~> find . -name default_partner_content* -ls
It found three occurrences of the file, in various Opera sub-directories. Only one of those three files had the entry
(71 occurrences!):"bing_attributed_ysrcunow",
And the URL:
"search_url": "https://ysrcunow.com/results.aspx?gd=RD1003896&searchsource=58&q={searchTerms}",
A quick Google search revealed about 4-5 websites, showing a low rating of that URL, plus the Reddit thread.
Somewhat disturbing, indeed !! Thanks for posting
-
burnout426 Volunteer last edited by
@blackbird71 said in Weird redirect towards an infected page:
If this is by design on Opera's part (which is implied by its presence in the default_partner_content.json file of multiple users), Opera ought to provide users with a clear explanation of what is going on and why.
I asked Opera. It's indeed legit, intentional and by design. The redirect is so https://ysrcunow.com/ gets credit for Bing searches. https://ysrcunow.com/ must be a partner now or something.
-
myswtest last edited by
So I've spent time experimenting with different options for a fix for this issue.
Ultimately, this is the easiest and most reasonable. Of course it means you'll have to apply this change to all machines you have Opera on. This easy fix will help those who are concerned with this.
So on all OSes, there is a config file named: "hosts". On Unix style OSes (like Linux), it's path is:
/etc/hostsOn Windows OSes, the path is:
c:\Windows\System32\Drivers\etc\hostsYou have to be the root user to edit it. Open the file in your favorite text editor, and append this line:
0.0.0.0 ysrcunow.comBasically, your browsers and such need to resolve the spelled-out-website-name into an IP numerical address, and then it reaches out to the website using that value. The first thing it does is look in the "hosts" file for the numerical address - if found, it uses it ... otherwise, it reaches out to the your DNS server (like a phonebook of the Internet) for the translation.
Basically, the address "0.0.0.0" is a dead address, ie, it resolves to "nothing", so your browser will NOT be directed to the actual website.
That's it. Good luck to all. I will post this here, and to another thread regarding this concern. The user leocg will probably comment, but doesn't matter. I've also seen this person posting out to a Reddit thread (with a slightly different username, but similar pattern: gomesleo).
(Sidenote: FWIW, I'm a software engineer with 35+ years experience (now retired ... I'm also a published author of four computer books), and spent quite a while with the security team. This is very questionable. After I'm done posting, I will be gone from this forum, and will uninstall Opera from all four of my machines, and will pass on the info to many others).
-
BlindRock last edited by
The Bing search redirects queries to a site called Trovi (ysrcunow.com), which appears to be located in Israel. This is not a compromised browser since we observe the same behavior in a fresh installation on a new computer. Several individuals are discussing this issue in your forums, but there is no confirmation that this behavior is intentional on the part of Opera.
I find this behavior suspicious, and it has raised concerns among several security agents, firewall, antivirus, etc. Could there be a malicious configuration in your product?
-
BlindRock last edited by
@myswtest Unfortunately, I just tested your suggestion on a Windows workstation in an environment protected by a FortiGate, and I'm still getting the blocking message for yscunow.com by using the query 'b this'.
FWIW I am a sysadmin for nearly 22 years, but I'm not retired yet. You are a lucky one!
-
burnout426 Volunteer last edited by
Update from Opera Security team: https://forums.opera.com/post/332280
-
BlindRock last edited by BlindRock
@burnout426 I have just test it again today on a Windows workstation in an environment protected by a FortiGate and I can confim the the behavior is gone.
Bing search is fine while ysrcunow.com is stil blocked.
Thanks to the security team!
-
Denizen976 last edited by leocg
@myswtest I haven't mucked about in hosts in a long, long while...
After reading your post, my first thought was "why not just use Hosts to redirect yscunow to Bing - but then I wondered if that would set up a loop... "Bing.com -> yscunow -> bing.com -> Yscunow -> No_i_said_bing.com!! -> Yeah_but_yscunow!..." [plus, you'd have to have an IP for Bing, and that's probably not going to be a simple static IP...]I'm concerned as to where, exactly, the substitution is being done.
If they (Opera) are snatching your URL request and replacing it, that's really not kosher., and I would be really pissed off at this behaviour.
If it's being done through some config/JSON files, at least that would be something we could look at, and maybe figure out and play Hobb with - only slightly better than it all being done behind the curtain.
Both are considered borderline evil, in my book.
-
BlindRock last edited by
@denizen976 The issue with your suggestion would cause a certificate problem. As the destination yscunow would be redirected to bing.com, the browser would not appreciate receiving a certificate with the wrong domain name.
But, as I mentioned earlier, Opera's security team has removed this redirection.
The problem is solved.
-
Denizen976 last edited by leocg
@blindrock Yes, the "current issue" is "solved".
What hasn't been solved is:
Where was this initiated?
Why was it initiated?Maybe I'm just not seeing the underlying problem? But I think it's pretty straightfoward:
"When searching for something directly from the address bar, ..."
If the user types in Bing.com, and Opera redirects to ysrcunow that is a serious breach of trust.
The user does not appreciate receiving the wrong domain name.My solution wouldn't be a problem with certificates, because it would just be in the hosts file. But, my solution wouldn't work, because (AFAIK), you can't ricochet host name to host name in the hosts file, just host name to IP.
While they say it's fixed, the larger questions still loom.