Closed
Bug 1412003
Opened 7 years ago
Closed 7 years ago
Malicious website makes closing tab hard using prompts
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1412559
People
(Reporter: r870767, Unassigned)
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20170926190823
Steps to reproduce:
I used Firefox 56 on Windows 10. Browsed 'shady' websites, got redirected to the url below. It's a malware site, be careful when opening it.
http://wwwDOOOTmanualupdatenotificationDOOOTcom/firefox/?clickid=wBOA53LG2PIV6H79H50NJRAS&language=de
Replace DOOOT with the character '.'
Actual results:
Several prompts kept popping up (initially one), that prevented me from closing the tab or window. Most noticeably an authentication prompt and prompts about resending form info.
The interesting part is here, that I couldn't close the tab or window any more even while holding down ESC. In my original browser session I couldn't do anything useful anymore, no other GUI element or shortcut of firefox could be used and I had the ctrl+alt+del kill Firefox. When I tried it with a clean Firefox profile it was slightly less horrible, I couldn't close the tab easily either, only using advanced methods like through about:performance if I opened that beforehand.
When reproducing, in order to get 'trapped' just use Esc or cancel on a few prompts.
Expected results:
I should be able to close the tab/window, not matter what the malicious website does.
Either offer me an option to prevent more prompts from opening, or (preferably) make Firefox's GUI elements e.g. in the tab-bar usable even when a prompt pops up.
Updated•7 years ago
|
Blocks: eviltraps
Severity: normal → critical
Component: Untriaged → DOM: Security
Product: Firefox → Core
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
status-firefox56:
--- → affected
status-firefox57:
--- → affected
status-firefox58:
--- → affected
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → All
Updated•7 years ago
|
Updated•7 years ago
|
Has Regression Range: --- → irrelevant
Has STR: --- → yes
Comment 6•7 years ago
|
||
Some tip to get out of this loop is to cancel Firefox confirmation prompt, next while pressing Esc, pressing close button on affected website page.
Updated•7 years ago
|
Component: DOM: Security → DOM
Too late to do anything here for 56 and likely too late for 57. I don't think we need to track this issue but can leave it to the DOM team to triage.
Comment 8•7 years ago
|
||
Without looking at the testcase, I think this is basically bug 1412559 and bug 1312243 (I thought we had another bug on file for repeated auth prompts, which can still happen somehow) and a similar bug on the eviltraps tracker that's about using fullscreen that I don't have to hand right now. Not sure if it's worth keeping this open separately.
I think it's unlikely we will make any meaningful progress in this domain area unless we dedicate some significant chunk of engineering time doing the tedious work of closing off a number of the different approaches people are using here. We've tried to address individual parts of the problem in the past, but attackers are just switching tactics to using other prompts / navigation tricks to accomplish the same general aim (forcing you to stay on the page). Without a coordinated approach, this is whack-a-mole at its finest.
Dan, who can coordinate something here? I'm happy to help with the engineering side of things, but I currently can't justify spending significant time on the problem.
Flags: needinfo?(dveditz)
Comment 9•7 years ago
|
||
So, let's dupe this to bug #1412559, as there is patch already there and same issue.
No longer blocks: eviltraps
Status: NEW → RESOLVED
Has Regression Range: irrelevant → ---
Has STR: yes → ---
Closed: 7 years ago
status-firefox56:
wontfix → ---
status-firefox57:
wontfix → ---
status-firefox58:
affected → ---
tracking-firefox56:
- → ---
tracking-firefox57:
- → ---
tracking-firefox58:
- → ---
Keywords: csectype-dos,
csectype-spoof,
reproducible,
ux-control
Resolution: --- → DUPLICATE
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Updated•7 years ago
|
QA Contact: Virtual
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•