Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave (bleepingcomputer.com) 78
Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.
bleepingcomputer -again-? (Score:1)
I just don't need downloads to auto-initiate (Score:4, Insightful)
Re: (Score:3)
Don't you know? It saves time! Having to move your mouse cursor a few inches here or there to click OK to begin a download is too time consuming. Think of all the time you waste every day having to manually click an acceptance button when you want to download a file.
This is the future, old man. Auto download, whether you like it or not. You'll take this file if it has to be shoved down your throat.
Re: (Score:2)
Don't you know? It saves time!
Really? Because the only pages that seem to auto-download anything do so with "Your download will begin shortly" followed by an advert.
Re:I just don't need downloads to auto-initiate (Score:5, Insightful)
It's quite simple, and quite stupid.
Everyone wants to streamline the user experience so much so as to avoid confusing users with things like downloading and installing.
So, as a result, everyone takes out the sensible controls which would otherwise prevent this shit, and things just happen automatically.
Microsoft has been leading the charge of this stupidity for a long time now -- from hiding extensions, to deciding that Outlook would be helpful and run any scripts it finds, to the auto-run shit on CDs that Sony used to install rootkits.
Increasingly, browsers are getting stupid and just say "hey, there's a script and some arbitrary code I know nothing about, let me just run that for you", so they create these issues themselves. No, sorry, I don't see the benefit in letting the dozens of embedded sites run code on my machine, because it's mostly just ads, analytics, trackers, and malware.
The problem is if you don't have the knowledge to block this shit, it happens without your knowing it, and often to very bad outcomes. And, since the internet has become (even more of ) a steaming swamp of bad actors, then things like browsers just rush ahead and keep doing the same stupid shit.
It's time to have browsers and other internet aware things be saying "why the fuck would I let you run scripts since I don't know who you are". But every time someone tries that, the ad companies screech and howl that their business model is in jeopardy. I don't fucking care about your business model, and since you're an ad company you can kiss my ass and fuck off.
If you want to know why this stuff happens, it's because browsers try to dumb down the experience to the point that you have no idea you've just allowed 15 external sites to run scripts and whatever else they want.
Re: (Score:3)
They don't really *need* scripts to throw up an ad. A flat JPG would do perfectly fine. I'd be perfectly find with JPG ads and have defended these, but the scripts, the video garbage, i've lost my tolerance for it. The websites are ramming down all of these 100% CPU scripts and bandwidth hogging video down peoples throats and then they act surprised and so hurt when people install an ad blocker. It really pisses me off.
Re: (Score:2)
Microsoft has been leading the charge of this stupidity for a long time now
Now, let's be fair: Microsoft is pretty late to the party on this. Removing or hiding options from users is very much an Apple thing.
Re: (Score:2)
You might want to look at uMatrix [google.com] (link for Chrome version). It does some of what you want (site specific handling of calls to different resources with a default that blocks external resources), but I don't think it allows you to substitute your own code.
Probably my 'if you had to use just one ...' extension.
Re: (Score:2)
Well, the problem is some sites are configured such that an affirmative click would not be possible. This is mostly related to site which implement hotlink blocking.
For example, let's say I don't want people hotlinking my downloads so I require the user to load a landing page first so they see they are on my site, and I am providing them with the file. When the page loads, I generate a unique download url for them that will only work once, so hotlinking is not possible. Then the page will redirect them to t
Re: (Score:2)
Attack of the clones (Score:2)
Re: (Score:3)
As each browser tries to grab market share, we experience the game of chromes.
When asked which browsers do this, we reply, "Chrome is some."
Re: (Score:2)
Not surprising that it works in those other browsers since they are all pretty much Chrome clones.
Regardless, I'm sure all 10 people who use Brave are worried about this development.
Re: (Score:2)
They're all cowards.
Re: (Score:2)
Not surprising that it works in those other browsers since they are all pretty much Chrome clones.
Regardless, I'm sure all 10 people who use Brave are worried about this development.
Yeah, both of them, assuming you're using binary.
Re: (Score:2)
Not surprising that it works in those other browsers since they are all pretty much Chrome clones.
But you will note that Safari isn't on the list; so WebKit must not be affected.
Yup, I've seen this. (Score:1)
The web and browsers have gone mad. I like turning off javascript just to have a simple web experience.
Re: (Score:2)
Usually, though, I find there's nothing under the js-clusterfuck. Noise > Signal.
Freeze the browser? (Score:2)
What is xkill?
Re: (Score:2)
I'd guess that most Windows users know what the equivalent utility is on their platform.
Re: (Score:2)
Fixed that for you.
"Most Windows users" still think the "blue e icon" means "the Internet". And yes, they think the Web is the Internet.
Re: (Score:2)
There is no way in hell that 'most Windows users'
Then they aren't actually running Windows. They are staring at a bunch of hung apps. If you can't find the process manager in your sleep, you haven't actually logged in to a Windows machine.
Re: (Score:1)
Smugness is not an endearing personality trait.
Close your eyes and read that very slowly.
But not Edge? (Score:3)
Re:But not Edge? (Score:5, Funny)
Things that cause Edge to run poorly would be redundant.
Re: (Score:3)
Why write an exploit for a system with no users?
Re: (Score:2)
Re: (Score:2)
Nostalgia.
Re: (Score:3)
Your's is the best post.
As I was reading all the bullshit here, including my stuff, Edge never entered my mind.
Wonder why that is?
I'm a retired IT guy and family members occasionally ask, "In Chrome, how do I ..." or, "Is there a Firefox extension that ..."
But never Edge.
Re: (Score:2)
Not ... (Score:2)
"Download bomb", indeed? (Score:2)
Website uses Download Bomb; it's super-effective!
Me: "WTF? What's your problem, Firefox?" Opens Task Manager, Ends Task on Firefox, re-launch Firefox; same thing happens on the same page. "Hmm, must be a fucked-up webpage, guess I won't go there." End Taks on Firefox again, re-launch again. Close the tab before it loads, go on to something else.
..where's the problem? People actually fall for this nonsense? Pathetic.
Shady (Score:2)
I love how the summary makes liberal usage of my favorite word to describe unscrupulous entities.
SHADY AS FUCK!
Sometimes it works (Score:2)
Browsers suck (Score:2)