1061925 - looping mailto link can cause an out of memory condition

Status: NEW

(Core :: Security, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Attachment: poc.html

Subject: Remote computer crash through mail
From: Dylan Katz <dylanishappy1@gmail.com>
To: security@mozilla.org
-----//-----
Vulnerability: This vulnerability allows attackers to crash a victims computer upon visiting a webpage using mailto links.

Reproduction:
<a href="mailto:email@example.com" id="crash"></a>
<script type="text/javascript">
while(true) {
document.getElementById("crash").click();
}
</script>
as far as I know it doesn't disclose any information but it would appear to stop the user's internet connection after crashing and until the next reboot.

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Tested briefly on OS X 10.9.4 Firefox 32
This opens a ton of mail windows, but I could still kill the browser and then close the windows I suspect on lower memory available machines this just opens a ton of windows causing an out of memory issue. So this could be a very annoying attack at the least or depending on the crash something more. Marking as s-s for now as the POC here is just not nice.

Dylan, What OS and Firefox version where you using in your testing?

Comment 2

[Dylan Katz]

I used firefox on my windows machine, but I've verified this works on several platforms with several browsers such as chrome.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Note bug 670328, which imo we should fix.

Comment 4

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

(In reply to Boris Zbarsky [:bz] from comment #3)
> Note bug 670328, which imo we should fix.

given the other bugs similarity should we keep this bug open? We can hide the attachment (as I think we should).

Comment 6

[Boris Zbarsky [:bzbarsky]]

I'm not sure there's a point to hiding the attachment either; lots of ways to trigger OOM...