Bugzilla

Basic auth confirmation prompts can be abused for spamming users and stealing focus from the main window.

The prompts are created here:
https://searchfox.org/mozilla-central/rev/29cce9a2684ef64c4f1f996087da8b7545d31f65/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#1429

There does not seem to be any rate limiting, so this can also be used for DoS.

PoC: https://evil.pbz.pw/trap/confirm-auth-prompt-spam/
Source: https://github.com/Trikolon/evil-traps/blob/c8c08acf70d9fbeee38cede6b40dea339b50d8d2/src/traps/confirm-auth-prompt-spam/static/index.js

I've attached a screenshot of the "Superfluous-Auth" confirmation prompt.

Basic auth confirmation prompts can be abused for spamming users and stealing focus from the main window.

The prompts are created here:
https://searchfox.org/mozilla-central/rev/29cce9a2684ef64c4f1f996087da8b7545d31f65/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#1429

There does not seem to be any rate limiting, so this can also be used for DoS.

PoC: https://github.com/Trikolon/evil-traps/blob/a3026929ebdf57aa3942490f58cd758d4f2d746d/src/traps/confirm-auth-prompt-spam/index.js#L6
Source: https://github.com/Trikolon/evil-traps/blob/c8c08acf70d9fbeee38cede6b40dea339b50d8d2/src/traps/confirm-auth-prompt-spam/static/index.js

I've attached a screenshot of the "Superfluous-Auth" confirmation prompt.

Basic auth confirmation prompts can be abused for spamming users and stealing focus from the main window.

The prompts are created here:
https://searchfox.org/mozilla-central/rev/29cce9a2684ef64c4f1f996087da8b7545d31f65/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#1429

There does not seem to be any rate limiting, so this can also be used for DoS.

PoC: https://eviltrap.site/trap/confirm-auth-prompt-spam/
Source: https://github.com/Trikolon/evil-traps/blob/a3026929ebdf57aa3942490f58cd758d4f2d746d/src/traps/confirm-auth-prompt-spam/index.js#L6

I've attached a screenshot of the "Superfluous-Auth" confirmation prompt.