Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Firefox Security

Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave (bleepingcomputer.com) 78

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.
This discussion has been archived. No new comments can be posted.

Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave

Comments Filter:
  • by Anonymous Coward
    I mean, if I wanted a bleepingcomputer RSS subscription I'd get one..
  • by ScentCone ( 795499 ) on Tuesday July 03, 2018 @09:21AM (#56886022)
    I've never seen the value of a page being able to spawn a download dialog without an affirmative click on a download link to the resource being fetched. Not that dumb people will be saved from themselves if there's something to click on ("Oh! It says to click on this - I guess I better click on it!"), but the "if your download doesn't start automatically, click here" language always seemed unnecessary. Perhaps I'm missing something on why a cruise-control file download should ever be supported?
    • Perhaps I'm missing something on why a cruise-control file download should ever be supported?

      Don't you know? It saves time! Having to move your mouse cursor a few inches here or there to click OK to begin a download is too time consuming. Think of all the time you waste every day having to manually click an acceptance button when you want to download a file.

      This is the future, old man. Auto download, whether you like it or not. You'll take this file if it has to be shoved down your throat.
      • Don't you know? It saves time!

        Really? Because the only pages that seem to auto-download anything do so with "Your download will begin shortly" followed by an advert.

    • by Anonymous Coward on Tuesday July 03, 2018 @09:37AM (#56886122)

      Perhaps I'm missing something on why a cruise-control file download should ever be supported?

      It's quite simple, and quite stupid.

      Everyone wants to streamline the user experience so much so as to avoid confusing users with things like downloading and installing.

      So, as a result, everyone takes out the sensible controls which would otherwise prevent this shit, and things just happen automatically.

      Microsoft has been leading the charge of this stupidity for a long time now -- from hiding extensions, to deciding that Outlook would be helpful and run any scripts it finds, to the auto-run shit on CDs that Sony used to install rootkits.

      Increasingly, browsers are getting stupid and just say "hey, there's a script and some arbitrary code I know nothing about, let me just run that for you", so they create these issues themselves. No, sorry, I don't see the benefit in letting the dozens of embedded sites run code on my machine, because it's mostly just ads, analytics, trackers, and malware.

      The problem is if you don't have the knowledge to block this shit, it happens without your knowing it, and often to very bad outcomes. And, since the internet has become (even more of ) a steaming swamp of bad actors, then things like browsers just rush ahead and keep doing the same stupid shit.

      It's time to have browsers and other internet aware things be saying "why the fuck would I let you run scripts since I don't know who you are". But every time someone tries that, the ad companies screech and howl that their business model is in jeopardy. I don't fucking care about your business model, and since you're an ad company you can kiss my ass and fuck off.

      If you want to know why this stuff happens, it's because browsers try to dumb down the experience to the point that you have no idea you've just allowed 15 external sites to run scripts and whatever else they want.

      • They don't really *need* scripts to throw up an ad. A flat JPG would do perfectly fine. I'd be perfectly find with JPG ads and have defended these, but the scripts, the video garbage, i've lost my tolerance for it. The websites are ramming down all of these 100% CPU scripts and bandwidth hogging video down peoples throats and then they act surprised and so hurt when people install an ad blocker. It really pisses me off.

      • by pots ( 5047349 )

        Microsoft has been leading the charge of this stupidity for a long time now

        Now, let's be fair: Microsoft is pretty late to the party on this. Removing or hiding options from users is very much an Apple thing.

    • Well, the problem is some sites are configured such that an affirmative click would not be possible. This is mostly related to site which implement hotlink blocking.

      For example, let's say I don't want people hotlinking my downloads so I require the user to load a landing page first so they see they are on my site, and I am providing them with the file. When the page loads, I generate a unique download url for them that will only work once, so hotlinking is not possible. Then the page will redirect them to t

  • Not surprising that it works in those other browsers since they are all pretty much Chrome clones.
    • Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

      Regardless, I'm sure all 10 people who use Brave are worried about this development.

      • They're all cowards.

      • Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

        Regardless, I'm sure all 10 people who use Brave are worried about this development.

        Yeah, both of them, assuming you're using binary.

    • Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

      But you will note that Safari isn't on the list; so WebKit must not be affected.

  • The web and browsers have gone mad. I like turning off javascript just to have a simple web experience.

    • I keep all cookies off (* scope uMatrix), and all 3rd-party everything-else off as well. It's better. If you keep all 1st-party JS off, most sites are utterly blank. At least when you allow the domain to do what it's trying to, you get a good value measure of whether the content is worth seeing, before you need to decide to check from where they want their 3rd-party scripts.

      Usually, though, I find there's nothing under the js-clusterfuck. Noise > Signal.
  • What is xkill?

  • by Kenja ( 541830 ) on Tuesday July 03, 2018 @09:53AM (#56886210)
    Or do people just not care enough to exploit it on Microsofts browser?
  • ... Palemoon?
  • Website uses Download Bomb; it's super-effective!

    Me: "WTF? What's your problem, Firefox?" Opens Task Manager, Ends Task on Firefox, re-launch Firefox; same thing happens on the same page. "Hmm, must be a fucked-up webpage, guess I won't go there." End Taks on Firefox again, re-launch again. Close the tab before it loads, go on to something else.

    ..where's the problem? People actually fall for this nonsense? Pathetic.

  • I love how the summary makes liberal usage of my favorite word to describe unscrupulous entities.

    SHADY AS FUCK!

  • I had to explain to my ex, "No, you don't call the phone number and give them your credit card number, you hit Ctrl-Alt-Delete, bring up Task Manager, and kill the browser process(es), idiot!" Of course, that assume the victim is running Windows (fairly safe assumption).
  • I have a new computer running Linux and it'll quite often lock up when running Chrome. It only happens in Chrome. Such a crap browser, but I still prefer the web experience slightly more than Firefox so I live with the pain. Thank god for SSDs running at 1800mb/s.

news: gotcha

Working...