Sniffing Google’s blacklist for firefox

Firefox 2 has a new security feature which protects you from entering private data on phishing websites or getting infected with malware on a website which promises you heaven and earth.
Protection is done by comparing the website address (URLagainst a so called blacklist. The blacklist is maintained by the good folks at Google, they take care of updating the blacklist regulary and firefox automagically downloads new versions.
Curious by nature, i wanted to know which websites were in the blacklist, so i took a peek in my .mozilla/firefox/… directory where all the users stuff is stored. The blacklist itself is easy identified by it’s name: urlclassifier2.sqlite and the extension betrays what kind of system is used to store the bad sites: sqlite.


SQLite is actually a database program, but in it’s simplest form. You don’t need to run a database engine and setup permissions, etc. But the complete database is stored into a file. So this is the KIS principle to the max, and it works great as long as the database doesn’t grow to large or to complex.

Next thing to do is fire up sqlite and have a look at the structure of the database:

$ sqlite3  urlclassifier2.sqlite
SQLite version 3.4.2
Enter ".help" for instructions
sqlite> .tables
goog_black_enchash goog_black_url goog_white_domain goog_white_url
sqlite> .schema
CREATE TABLE 'goog_black_enchash' (key TEXT PRIMARY KEY, value TEXT);
CREATE TABLE 'goog_black_url' (key TEXT PRIMARY KEY, value TEXT);
CREATE TABLE 'goog_white_domain' (key TEXT PRIMARY KEY, value TEXT);
CREATE TABLE 'goog_white_url' (key TEXT PRIMARY KEY, value TEXT);

Looks simple enough, the bad sites are probably in: goog_blac_url

qlite> select * from goog_black_url LIMIT 3;
uggc://ybtva.zlfcnpr.psz.shfrnpgvba.hfre.fcynfu.ubzr.zlgbxra.76701n2644n8605.pn0qpor.pbz/vaqrk.cuc|c
uggc://ealfcnprv.pbz/vaqrk.pszshfrnpgvba=ybtva.cebprff&ZlGbxra-wrrqk4r1ssn-s3kg3k2ns0-4r3-sfs3n421-s7goskks3ks231.ugz|c
uggc://eeaelfcnpr.pbz/vaqrk.psz-shfrnpgvba657Qybtva.cebprff8526ZlGbxraf79843964886883084155.ugz|c
sqlite> .quit

Hmm, it turns out that the content is encoded through the famous ROT13 methode. The reason being that the file otherwise might be flagged as harmfull by locally running antivirus software.

So we need a ROT13 decoder, this is easilly done with the unix utility tr and the complete construct snugly fits into a oneliner:

echo "SELECT * FROM goog_black_url LIMIT 3;" | sqlite3 \
urlclassifier2.sqlite | tr N-ZA-Mn-za-m A-Za-z

Which will output something like:

http://login.myspace.cfm.fuseaction.user.splash.home.mytoken.76701a2644a8605.ca0dcbe.com/index.php|p
http://rnyspacei.com/index.cfmfuseaction=login.process&ZyGoken-jeedx4e1ffa-f3xt3x2af0-4e3-fsf3a421-f7tbfxxf3xf231.htm|p
http://rrnryspace.com/index.cfm-fuseaction657Qlogin.process8526ZyGokens79843964886883084155.htm|p

If you’re brave, you might cut ‘n paste one of the URL’s in your firefox browser and see what happens 😉