Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

abusing a Firefox bug to trap users on malicious..

[grep -v '.*' *]

So: Given enough eyeballs, all bugs are shallow. [wikipedia.org]

I guess we need to include a few caring fingers as well. ESPECIALLY middle ones for those hard-to-reach, far-away keys.

(The bug is only 11 years old -- not even a teenager yet.)

Re:

[Anonymous Coward]

Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

Re:abusing a Firefox bug to trap users on maliciou

[rtb61]

What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

Re:

[Vreejack]

I think it's used for scareware, as in "Microsoft is locking your computer due to detected hacking, etc. Hackers are stealing your credit cards and personal information. Please call our technician, etc." And of course you cannot escape the windows that keep opening unless you spam the escape key. Actually, that's a different exploit but prolly used for the same purpose.

Re: abusing a Firefox bug to trap users on malicio

[Monster_user]

Spamming the escape key didn't seem to work the last time I tried it. If I was lucky, a well timed Ctrl+W whilst spamming escape might kill it. Had to end the process.

Didn't know this had been fixed anywhere. Getting these in IE is why I used Firefox with noscript.

Re:

[cascadingstylesheet]

What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

Reminds me of the early web, popup hell, every attempt to close a popup opened three more - seriously, did they really think you we going to just finally say "ok, ok, I'll buy something, I give up!"

Re:abusing a Firefox bug to trap users on maliciou

[Anonymous Coward]

Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:

Modal dialog boxes

This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).

Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".

Re:

[Kjella]

I like a power user's tool with half a dozen different menus and toolbars and windows floating or docked all over the place and so do 99% of all the people here I would assume. Certainly nobody is intimidated by Visual Studio or Photoshop or anything else that throw a ton of controls at you. I see my old man is struggling even on fairly simple web sites though because there's too many menus and sidebars and dynamically expanding and contracting sections and whatnot. Modal dialogs make for a very simple inte

Re:

[fahrbot-bot]

So: Given enough eyeballs, all bugs are shallow Linus's Law [wikipedia.org]

At first I thought I was reading the thread Scientists Identify Vast Underground Ecosystem Containing Billions of Micro-organisms [slashdot.org] and laughed, but then realized I was looking at the wrong tab. Still, you may have a point as TFS of that thread points out:

... the diversity of underworld species bears comparison to the Amazon or the Galapagos Islands, but unlike those places the environment is still largely pristine because people have yet to probe most of the subsurface.

Re:Hmmm...

[Luckyo]

I have a firefox with standard adblock, anti tracking et al installed on pretty much all machines I administer. I got a panicked call from my mother, who runs one such machine primarily as her "youtube kittens and women magazines internet thingy" when she got stuck on one such site. No idea how she got there, but it seemed to manage to bypass the blockers I have on that machine. It happened about a month ago.

My guess is that she followed a bad link on social media or something like that to a new site that wasn't on blacklist just yet. The easiest way out that I could figure over the phone was to literally hard crash the browser through process manager, and then tell browser on restart not to resume the session. There didn't seem to be any easy way out that I could quickly figure out over the phone otherwise. It just locked the browser to that malicious page.

Re:

[Luckyo]

I'm still not calling you back after fucking you in that thread. No matter how hard you stalk me.

Re:

[Luckyo]

Can't admit to something I didn't do. I can however keep mocking you as an ideologically driven science denier that you demonstrated yourself to be.

And no, still not calling you back. The only thing you'll ever get from me is mockery on the internet. Frankly, you're a great target for helping me vent daily frustrations on, as someone who demonstrably deserves all the scorn I can muster.

Re:

[Luckyo]

I defeated your anti-scientific dogma using logic, therefore I'm a nazi and you desperately trying to stalk me across slashdot posts is being anti-nazi.

We've come a long way folks. And this appears to be the destination. The batshit levels of insanity are real.

Re:

[Anonymous Coward]

Not always the easiest thing to do randomly over the phone, but one way to deal with this is to add the parasitic domain to the hosts file with a 127.0.0.1 reference.

Re:

[Luckyo]

It's a desktop connected via ethernet cable, and no, I'm not making my mother crawl under the table to sort out the cables or router.

Re:

[Anonymous Coward]

Sites that trap users are nothing new.
1. Go to some site
2. Press the 'back' button.
Didn't get out? Then you're on a malicious site that traps you. There are tons of those. Of course, the fix is often as simple as pressing back twice real fast, or using the back menu to go two steps back in one operation. Easy enough - but this blocking of "back" is just as evil as this slightly more advanced scheme. Still, you can get out by closing/killing the browser and restarting it. So no big deal.

So over Firefox these days

[Anonymous Coward]

Firefox to me is no savior of privacy or champion of the web. They have sold out to Google, Yahoo, Pocket and installed extension AKA Mr. Robot without permission. Yeah Mozilla is a real saint when it comes to privacy and security. Used to have people at Mozilla who really did some good, they have either been forced out, or quit.

Re:

[ichimunki]

So which browser do you recommend over Firefox?

Re: So over Firefox these days

[jd]

I'd recomment Mosaic over Firefox, these days.

Modal dialog boxes

[tender-matser]

Why have we to suffer this horror in the first place?

I remember reading a memo by some Microsoft engineer from some 20 years ago who was porting Internet Explorer to Unix; he noticed there that the Unix folk are easily put off by modal dialog boxes and prefer to have be able to open another window or page while a dialog box is active.

Is that no longer the case?

What happened since then? Why do we have to suffer the horror of gnome, which is making its dialog boxes global at display level, and nothing short o

Re:

[scdeimos]

Not sure I'd use Microsoft as a model of how to do anything. Whenever I'm forced to use MS-IE or Edge for a site they have this nasty habit of opening authentication dialogs behind the window that they relate to. You have to go hunting through the task bar icons to find the authentication dialog to submit so you can make progress.

Re:

[Anonymous Coward]

My professor in school ~20 years ago said to avoid modal dialogs because they piss people off and in many cases aren't required, and are lazy designs. And he was right.

Re:

[tender-matser]

Sure, everything is easy in my basement. Not so easy on corporate gear.

Re:

[Anonymous Coward]

No need, ever. Anything that do this, is only irritating.

Except for all those who can't use a mouse and still want to live in a modern world. Accessibility must be thought of as a first class programming standard, like security.

Re:Modal dialog boxes

[samdu]

I don't know if I'd consider myself a "Unix person (though I do really like Linux)," but the issue I have with Microsoft's modal/non-modal dialog boxes is the complete lack of consistency. And this isn't an IE/Edge problem, it's a Windows problem. Some windows you can resize and interact with other windows. Some windows you can't resize, but you can still interact with other windows. Some windows you can resize and the content of the window flows to expand. Some you can resize and the content doesn't flow at all. It's a complete mess.

bad

[TRRosen]

This is bad news for Firefox users. Both of them.

Re:

[campuscodi]

I can confirm. I cried all weekend.

Re:

[sanf780]

Count me in. Chrome does not work well on RHEL6. However, I try to avoid non corporate websites so hopefully I am OK with regards this bug.

Re:

[kbrannen]

This is bad news for Firefox users. Both of them.

Ugh! Two people have already replied, so this must not be Firefox I'm using.

Re: bad

[Monster_user]

What idiots use Chrome?

They may be open source.. However..

[auzy]

The CEO at Mozilla now seems to get paid over $800K per year.

I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).

Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.

I also wonder how many people with the current board of directors were those who started with the company.

Re:

[azcoyote]

New ideas are very expensive! That's why Mozilla pays the CEO big bucks to copy Google Chrome's new ideas.

They've been inept AND corrupt since the beginning

[Anonymous Coward]

Everybody forgets that Firefox was a third party project that got brought into the fold, then bastardized with XUL.

Firefox, while still Phoenix, was originally a GTK2 based native app, with no XUL in use. The result of this was a bare Gecko browser window with tabbing support, back when Mozilla was still the Browser Suite with single windows, no tabs, and horrible overhead for each new window. Firefox did away with all that, became popular among nerds, who passed it on by word of mouth, then something amazi

Re:

[epine]

$800K is just greedy.

Ah, the world-famous escape hatch "just", wherein "you get what you pay for" can pound sand, no questions asked.

Re:

[auzy]

When Firefox was forked from Mozilla, it was revolutionary.

It was promised to be non-bloated, incredibly fast, and have both theming and extensions which loaded easily (the alternative either had none, or required rebooting for every theme change, etc). That was what people like me were eager to donate to.

Then over time, it felt like management changed. I was genuinely interested in Firefox Mobile, but that seemed like there was simply insufficient developers for that project.

And instead of fixing issues,

Re:

[Anonymous Coward]

You would have a valid point if Mozilla was a company. It is not; Mozilla is a non-profit. It was given its flagship product for free, and could give it for free; it never had to be profitable. I'd have a hard time thinking of some revolutionary feature Mozilla added to its browser that wasn't copied from Opera or Chrome. Fortunately for them, making Google the default search engine turned out to be wildly profitable. With the amount of money they got from Google in the good years (I think several hundred m

Re:

[Anonymous Coward]

To put in perspective the French left wing is proposing a maximum wage of 400K euros (or a year ago, 360K euros). This is not far off from Mozilla CEO wage. Another way to frame the maximum wage by the same left wing movement/party is a ratio of 20:1 for the highest and lowest wages in a company - so think of a $40k/year janitor, although such a rule would be trivially gamed by outsourcing.

So, Mozilla CEO pay could be a bit lower perhaps.
Would be nice if *any* CEO at all wouldn't earn more than $800k. One $

And this is the only major Chrome alternative

[xack]

This is just a glimpse of the epidemic of malware to come fueled by Mozilla not caring about their users. Just wait until a Pocket exploit gets developed. We need a real alternative to the Googzilla monoculture, and Goana/Servo are not enough to matter.

Link?

[Torodung]

I am supremely disappointed that the link didn't lead to a proof of concept that blew up my desktop because I am using Firefox.

Re:

[evanh]

Yeah, same. Probably be a blank page for me.

I'm shocked!

[Locke2005]

People are still using Firefox? BOTH of them should get new browsers!

Give them a Break, They've been busy

[CanadianMacFan]

Come on, they've been busy killing all of the old extensions, useful parts of the browser, changing the UI to something that nobody wants, and adding in useless features that would be better as extensions. Who has time to fix security bugs? There are only so many hours in a decade or so!

Re:

[drinkypoo]

Yet that's still more than anyone in the snarky peanut gallery is doing, so I guess they're the Mozilla we deserve.

They're doing things that not only the users don't want, but the users explicitly want them to not do. Is that doing more, or doing less? I suppose it's doing more, but it's doing more bad, not doing more good. They are actively doing harm. Someone doing nothing is effectively doing more.

The web isn't to be trusted ...

[Anonymous Coward]

The web is a steaming pile of shit being exploited by ad companies and other assholes -- and I consider the ad companies to be as malicious as the black hats.

My Chrome has ScriptSafe and HTTP Switchboard. My Firefox has uMatrix and a few other things. My IE .. well, I use IE as the browser of last resort for shit I need to do but which won't play well with a sane browser.

I do *domain* level whitelisting, which means all third parties who aren't provably related to the proper operating of a web site I real