[Compilation]Discussions about searches on Bing redirecting to http://ysrcunow.com/

myswtest

myswtest last edited by

So I've spent time experimenting with different options for a fix for this issue.

Ultimately, this is the easiest and most reasonable. Of course it means you'll have to apply this change to all machines you have Opera on. This easy fix will help those who are concerned with this.

So on all OSes, there is a config file named: "hosts". On Unix style OSes (like Linux), it's path is:
/etc/hosts

On Windows OSes, the path is:
c:\Windows\System32\Drivers\etc\hosts

You have to be the root user to edit it. Open the file in your favorite text editor, and append this line:
0.0.0.0 ysrcunow.com

Basically, your browsers and such need to resolve the spelled-out-website-name into an IP numerical address, and then it reaches out to the website using that value. The first thing it does is look in the "hosts" file for the numerical address - if found, it uses it ... otherwise, it reaches out to the your DNS server (like a phonebook of the Internet) for the translation.

Basically, the address "0.0.0.0" is a dead address, ie, it resolves to "nothing", so your browser will NOT be directed to the actual website.

That's it. Good luck to all. I will post this here, and to another thread regarding this concern. The user leocg will probably comment, but doesn't matter. I've also seen this person posting out to a Reddit thread (with a slightly different username, but similar pattern: gomesleo).

(Sidenote: FWIW, I'm a software engineer with 35+ years experience (now retired ... I'm also a published author of four computer books), and spent quite a while with the security team. This is very questionable. After I'm done posting, I will be gone from this forum, and will uninstall Opera from all four of my machines, and will pass on the info to many others).

BlindRock

BlindRock last edited by

The Bing search redirects queries to a site called Trovi (ysrcunow.com), which appears to be located in Israel. This is not a compromised browser since we observe the same behavior in a fresh installation on a new computer. Several individuals are discussing this issue in your forums, but there is no confirmation that this behavior is intentional on the part of Opera.

I find this behavior suspicious, and it has raised concerns among several security agents, firewall, antivirus, etc. Could there be a malicious configuration in your product?

BlindRock

BlindRock @myswtest last edited by

@myswtest Unfortunately, I just tested your suggestion on a Windows workstation in an environment protected by a FortiGate, and I'm still getting the blocking message for yscunow.com by using the query 'b this'.

FWIW I am a sysadmin for nearly 22 years, but I'm not retired yet. You are a lucky one!

burnout426

burnout426 Volunteer last edited by

Update from Opera Security team: https://forums.opera.com/post/332280

BlindRock

BlindRock @burnout426 last edited by BlindRock

@burnout426 I have just test it again today on a Windows workstation in an environment protected by a FortiGate and I can confim the the behavior is gone.

Bing search is fine while ysrcunow.com is stil blocked.

Thanks to the security team!

Denizen976

Denizen976 @myswtest last edited by leocg

@myswtest I haven't mucked about in hosts in a long, long while...
After reading your post, my first thought was "why not just use Hosts to redirect yscunow to Bing - but then I wondered if that would set up a loop... "Bing.com -> yscunow -> bing.com -> Yscunow -> No_i_said_bing.com!! -> Yeah_but_yscunow!..." [plus, you'd have to have an IP for Bing, and that's probably not going to be a simple static IP...]

I'm concerned as to where, exactly, the substitution is being done.

If they (Opera) are snatching your URL request and replacing it, that's really not kosher., and I would be really pissed off at this behaviour.

If it's being done through some config/JSON files, at least that would be something we could look at, and maybe figure out and play Hobb with - only slightly better than it all being done behind the curtain.

Both are considered borderline evil, in my book.

BlindRock

BlindRock @Denizen976 last edited by

@denizen976 The issue with your suggestion would cause a certificate problem. As the destination yscunow would be redirected to bing.com, the browser would not appreciate receiving a certificate with the wrong domain name.

But, as I mentioned earlier, Opera's security team has removed this redirection.

The problem is solved.

Denizen976

Denizen976 @BlindRock last edited by leocg

@blindrock Yes, the "current issue" is "solved".
What hasn't been solved is:
Where was this initiated?
Why was it initiated?

Maybe I'm just not seeing the underlying problem? But I think it's pretty straightfoward:
"When searching for something directly from the address bar, ..."
If the user types in Bing.com, and Opera redirects to ysrcunow that is a serious breach of trust.
The user does not appreciate receiving the wrong domain name.

My solution wouldn't be a problem with certificates, because it would just be in the hosts file. But, my solution wouldn't work, because (AFAIK), you can't ricochet host name to host name in the hosts file, just host name to IP.

While they say it's fixed, the larger questions still loom.

FosterWest

FosterWest Banned last edited by

Thanks for advice!

FosterWest

FosterWest Banned last edited by This post is deleted!