Data sent by firefox to google's safebrowsing APIs

Question

I'm trying to debug what data is sent by firefox to google's safe browsing APIs.

So far, I was able to tap into the request sent, which looks something like:

https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gaJwgFEAQaGwoNCAUQBhgBIgMwMDEwARCk1QkaAhgKsy218SICIAIoARonCAEQBBobCg0IARAGGAEiAzAwMTABENeOCBoCGAr-a4NBIgIgAigBGicIAxAEGhsKDQgDEAYYASIDMDAxMAEQ_JYIGgIYCtVt0KUiAiACKAEaJwgHEAQaGwoNCAcQBhgBIgMwMDEwARDcuAgaAhgKOQYHqCICIAIoARolCAkQBBoZCg0ICRAGGAEiAzAwMTABEB8aAhgKNd1EeSICIAIoAQ==

or

https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gSGwoNCAUQBhgBIgMwMDEwARCq1QkaAhgGlctYrBouCAUQBBoGCgTnIr_kGgYKBDB7AsgaBgoEcj_bPBoGCgScmzMmGgYKBMkwXGMgAQ==

How do i figure out what the plain text payload is?

So far using the stacktrace it looks like the payload is encoded using

https://searchfox.org/mozilla-central/source/toolkit/components/url-classifier/UrlClassifierListManager.jsm#591

Answer 1

Disclaimer

This is literally my first post

Anyways, I saw this today while using cypress, I don't think it's anything to worry about. This is a stretch but have you considered the "==" at the end of the url, isn't that base64?

I plugged your

ChUKE25hdmNsaWVudC1hdXRvLWZmb3gSGwoNCAUQBhgBIgMwMDEwARCq1QkaAhgGlctYrBouCAUQBBoGCgTnIr_kGgYKBDB7AsgaBgoEcj_bPBoGCgScmzMmGgYKBMkwXGMgAQ== 

into https://www.base64decode.org and got this back: navclient-auto-ffox, along with other junk characters, try the decoder if you really need to see them.

Might as we'll quickly checkout navclient-auto-ffox on google, weird enough it replaced my search string with ?navclient-auto-ffox??, whatever, the first site to come up is:

http://kb.mozillazine.org/Browser.safebrowsing.provider.%2A.updateURL

and I quote:

Possible values and their effects

The URL from which blacklist information is retrieved.

By default

The following preference and value exists: browser.safebrowsing.provider.0.updateURL:

• http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}

In trunk builds:

browser.safebrowsing.provider.0.updateURL:

• http://safebrowsing.clients.google.com/safebrowsing/downloads?client={moz:client}&appver={moz:version}&pver=2.1

(The string {moz:client} is replaced by 'navclient-auto-ffox' plus the version number for official builds. The string {moz:version} is replaced by the browser’s version of Gecko.)