siteplug.com and kqzyfj.com Psuedo-Hijack

yagnivek

This is bit of a bizarre one. Vivaldi seems to be redirecting specific address bar searchs somewhere else, google is my default search in Vivaldi.
I tested chrome and firefox, and private mode with all extensions disabled. Vivaldi does this with and without extensions enabled.

So the problem, if you type anything in the address bar: "colorful spatulas", "angry sloths", whatever, works no problem. You type "godaddy" though, that's when the weirdness happens.

When you type anything else the URL goes immediately to https://www.google.com/search?q=angry sloths as it should.

Type in godaddy and it first goes to:
https://vivaldi.com/bk/godaddy-us

That then redirects to a siteplug redirect that apparently cleans up mistyped URLs/Searches, I'm assuming GoDaddy uses this service. I "sanitized" it so it's not clickable.
hxxps://ww4.siteplug.com/sssdomweb?enk=7f8aa7511620ee216f72168d640e9ffeac7beaee8d3b01814edda1a4d55ef99a4c56408cdb4281a76deeddada3ccd914b8e32bcd9f5f8ed443cdd91bb9efd0413e6dd55c07dc030f

Then finally redirects to a potentially malicious domain of:
hxxps://www.kqzyfj.com/click-100297359-10378406?sid=49aa360ac7aea01df28a3d5637f3acd6

Searching GoDaddy in Vivaldi's address bar is the only time this happens. I have a sneaking suspicion this my actually be a siteplug.com issue and Vivaldi is honoring that service instead of just going straight to google for certain keywords or domains. I just don't know what other companies use SitePlug to test with.

Pesala

@yagnivek I cannot reproduce this issue.

Try looking at vivaldi://serviceworker-internals

Anyway, change your default search engine to one that respects your privacy. Google is considered to be evil by many Vivaldi users.

TbGbe

@yagnivek said in siteplug.com and kqzyfj.com Psuedo-Hijack:

Type in godaddy and it first goes to:
https://vivaldi.com/bk/godaddy-us

That is a "Vivaldi sponsored bookmark" (I suppose US only?).

Clicking that link also redirects for me to the "suspicious" domain.

You should create a Bug Report

As the Vivaldi bookmark needs to be verified and removed if "hijacked".

yagnivek

Apologies, would've done this sooner but had a very pregnant wife and new baby recently.

Anyway, bug report submitted, VB-85120.
Thanks @TbGbe for verification.

Shpankov

Hi all!

Actually, when testing these links (https://vivaldi.com/bk/godaddy-us and as well https://ww4.siteplug.com/sssdomweb?enk=7f8aa7511620ee216f72168d640e9ffeac7beaee8d3b01814edda1a4d55ef99a4c56408cdb4281a76deeddada3ccd914b8e32bcd9f5f8ed443cdd91bb9efd0413e6dd55c07dc030f that is under the previous link) I landed to the GoDaddy web-site.

From which countries you are trying to open these links?

Hadden89

@yagnivek You should check also your extensions at vivaldi://extensions/ as some malicious ones tends to hijack common used sites. Extensions for youtube or downloading videos are high suspects. Btw, congrats for the

Pathduck

@shpankov Why would GoDaddy/Conversant/Siteplug choose such a dodgy-looking domain (kqzyfj.com) to serve their affiliate redirects?

uBO just blocks it:

uBlock Origin has prevented the following page from loading:

https://www.kqzyfj.com/click-100297359-10378406?sid=177678573b2681f6511ad338cad29224

Because of the following filter:

||kqzyfj.com^

Found in: EasyList 

The Vivaldi ad-blocker also uses EasyList of course, but does not block direct requests and redirects (needs the $document rule for that).

TbGbe

@shpankov said in siteplug.com and kqzyfj.com Psuedo-Hijack:

From which countries you are trying to open these links?

Trying from UK.
With Ublock active I get the same blocking message as @Pathduck
Disabling Ublock ( ) am redirected to Godaddy UK.

Shpankov

@tbgbe OK, I will ask colleagues from security department to have a look.

Shpankov

OK, we replaced this partner link to direct link.

Thanks for reporting!