Closed Bug 909615 Opened 11 years ago Closed 11 years ago

possibility to hinder user from closing website tab/complete browser through js

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
23 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: maik.wellmann, Assigned: amuntner)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, Whiteboard: [reporter-external][verif?])

Attachments

(2 files)

firefox_close_hindrance.7z
(deleted), application/octet-stream
Details
index2.html
(deleted), text/plain
Details
Attached file firefox_close_hindrance.7z (deleted) — 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36 OPR/16.0.1196.55 (Edition Next)

Steps to reproduce:

1. Open affected website
2. Try to close the tab or browser


Actual results:

First a js dialogue will display saying that the Browser has been locked. If you click it away a firefox dialogue will appear, saying that the site has asked to let the user confirm if it really should be closed. If you tell firefox to close the site regardless the message will just appear again and again hindering the user from actually closing the tab/browser. In this case criminals were trying to collect ransom through this scheme, saying that the browser lock down was done by the police as a result of illegal user actions.


Expected results:

Firefox should close the tab/browser after being told so by the user without asking again.
assigning to adam for verification
https://wiki.mozilla.org/Security/Web_Bug_Rotation#Web_Bug_Verification
Assignee: nobody → amuntner
Whiteboard: [reporter-external][verif?]
 Maik,

Thanks for reaching out. I started analyzing this and while you're right, it is very annoying, I was able to close it by right-clicking my task bar and selecting close. When I tested it, my browser tried opening the close.php file instead of using the content, so I'm guessing this came form a web site originally that reported the correct mime type in the server header. 

If you could point me to where you found it in the wild, that would be most helpful in developing an understanding of what I'm looking at. 

I did some more research and it looks like this might be part of something called "BKA Trojan," http://www.chip.de/news/BKA-Trojaner-entfernen-Anleitung-fuer-Windows_61898512.html but I'm not convinced yet whether it's BKA-Trokan or some kind of variant or something totally web based that just looks like BKA-Trojan.
In index.html, the following appears:

<body onkeypress="return catchControlKeys(event);">
<iframe srcdoc="<script>window.onbeforeunload = function(env){return 'Ihr Browser hat gesperrt. Alle PC-DATEN WE
RDEN festgehalten und Strafverfahren gegen Sie eingeleitet, wenn eine Geldbuße nicht bezahlt werden.';}</script>
" src="de/close.php"></iframe>
<iframe srcdoc="<script>window.onbeforeunload = function(env){return 'Ihr Browser hat gesperrt. Alle PC-DATEN WERDEN festgehalten und Strafverfahren gegen Sie eingeleitet, wenn eine Geldbuße nicht bezahlt werden.';}</script>" src="de/close.php"></iframe>
....(etc)

This is repeated 120 or so times. I edited the index.html file so that it only displayed once and the repetitive behavior stopped. It doesn't prevent one from closing the tab forever, it just seems like it. I don't think it's a bug in javascript or the browser, it's better classified as an annoyance, and you're right in that it's a very annoying one!

If the tab containing this content is the only one open, there is no 'close tab' button, this is normal browser behavior. 

The html files you sent contain only relative links such as 

<form action="checkout.php" method="post" onsubmit="retu
rn check(); window.onbeforeunload = null; window.document.body.onbeforeunload = null;">

but not links to a website in the wild.


I'm going to close this bug because it's not a browser bug or a bug with one of Mozilla's websites, but I'm happy to continue to investigate if you can point me to the place where this was found in the wild. 

Thanks again, Maik, I'm looking forward to seeing the site in the wild.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Attached file index2.html (deleted) — 
replacement index.html with repeats reduced to 1 from 120-something to de-annoying-ize it.
Blocks: eviltraps
This is unfortunately the web working as specified. If you get different behavior for another browser maybe we can copy their way of handling it without breaking too much legitimate content that use these same features in useful and benign ways.
Group: core-security
Keywords: csec-dos
Resolution: INVALID → WONTFIX
Hi,

here's the one in the wild:
http://f9654.com

Seems like I haven't done the copying correctly that I had done to preserve the contents since I can't control the web server, but at first look the checkout.php seems to be more or less the same as the index.html, i.e. kind of a recursive function.

Anyways, closing through a right click on the task bar does not work for me - always the same annoying messages.

The problem is that these criminals can repeat the code ad infinitum, practically locking the user's browser down. I think we all can agree that no website should be able to do so, right? It should always be the user who decides when to close a tab - not the website. What kind of trick involved does not matter for the end user, he just wants control. Firefoxe's close confirmation dialogue should be tab wide, i.e. only ask once and then close the tab without allowing further interventions from any (i)frames/scripts.

@Daniel Veditz
I haven't seen this behavior in my other browsers. Also not sure if this is really expected behavior, i.e. allowing this kind of trick for every (i)frames. I don't think you want your users being locked in by these ransomware scams.

To quote your site (http://www.mozilla.org/en-US/firefox/security/):
"Stay in Control"
Notes: 

When you enter a 14 digit number as the MoneyPak code, your browser does a POST to 

/checkout.php?vouchid=12345678901234&country=us&voucherSubmit=UNLOCK+YOUR+PC+NOW%21

where voichid is the code you entered on the web page.

The site then redirects you to 

fbi.gov.alphanumericstuffhere.f9654.com?result=success

The page says that your browser will be "unlocked" in 12 hours but it isn't really "locked" and there is no mechanism that does anything after that.

If you send the site too many requests it will redirect queries from your ip to a porn website as a protective mechanism.
Maik - 

There are lots of websites like this, I set this bug as a blocker for bug 432687, the "eviltraps" metabug.

"There are javascript based websites that are traps which cause Firefox to show nasty content and stop answering user requests. Firefox behavior in these situations is really bad since it obey to the code and stop to listen to the user, it's not possible to close, change the configuration, close the tab or even exit Firefox!"

"Fixing" it is a tough one because as dveditz noted, there are a lot of benign websites that use similar javascript techniques and it's not straightforward to be able to tell the difference between bad and legit uses of certain js coding patterns.

I reported the site to Google's badware reporting page at http://www.google.com/safebrowsing/report_badware/ but of course the bad guys can always just set up another unfortunately.

See: http://www.mozilla.org/en-US/firefox/phishing-protection/
Notes:

I also sent an email to security@moneypak.com so they can try to identify and shut down the scammers account.
I don't know about the other traps but this one looks relatively easy to correct.

Q. What does the user want to do?
A. Close the Tab.

Q. Is it OK for a website to intercept this by a confirmation dialogue?
A. Under some circumstances: Yes.

Q. Should this confirmation dialogue be repeated for every (i)frame?
A. IMHO, no. The user has not(!) asked the browser to close some specific (i)frame, but to close the tab. Once the user has confirmed that he wants to close the tab firefox should do just that.

The problem is that Firefox works in a totally unexpected way. The user clicked on the tab close button and when a confirmation dialogue appears he expects that this is for confirming the tab close action. I don't see any valid reason for Firefox to disrespect the users wish in this regard. I would be a different thing if the user asked to just close a specific (i)frame but I don't think that Firefox even allows that?
Maik, I asked in the Metabug for someone more familiar with Firefox internals than I am to comment.
This is a dup of bug 578828 or bug 636374.  I'll mark the latter as csec-dos.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: