Closed
Bug 1312874
Opened 8 years ago
Closed 7 years ago
Using Modal http auth dialog to DoS browser
Categories
(Firefox :: Security, defect, P3)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 377496
People
(Reporter: hwine, Unassigned, NeedInfo)
Details
Attachments
(1 file)
|
428 bytes,
text/plain
|
Details |
A friend stumbled on hlelo[.]com/<magic_path> from a link purporting to go to youtube. It opens a page with scary stuff about your PC being damaged - (even on a Mac) with a phone number to call - typical scam. However, the user can easily be trapped with no effective way to return to normal browser usage. Can be reproduced in both Nightly (52), beta (50), and release (49) with new profile. STR: 1. start browser with fresh profile 2. go to "bad url" (see attachment) What Actually Happened: - page is displayed with basic auth modal dialog - submitting or dismissing leads to immediate re-display of basic auth dialog - No normal menu options are available to restart in safe mode - No option to close tab - No option to close window - Quitting firefox works, but site is immediately reloaded on restart - No "normal" option to open 2nd window (but see below) What I expected to happen: - have some "obvious" way to close the offending tab, and return control of the browser to me.
|
Reporter | |
Comment 1•8 years ago
|
||
Workarounds: if you're lucky: keep submitting the basic auth dialog, and trying to close the tab before the basic auth dialog re-appears. Deterministic: disconnect from network; submit auth dialog; close tab; reconnect to network.
|
||
Comment 2•8 years ago
|
||
I've seen the likes of the reported issue before(different circumstances: malware infected computer, different browser, I was attempting to clean it), so I won't try to replicate this, but I can confirm that this is a valid bug.
Component: Untriaged → Security
|
||
Comment 3•7 years ago
|
||
Too late for firefox 52, mass-wontfix.
|
||
Updated•7 years ago
|
Blocks: eviltraps
Priority: -- → P3
Summary: DoS from Phishing Site - complicated workaround → Using Modal http auth dialog to DoS browser
|
|
||
Comment 4•7 years ago
|
||
The fix for this is eliminating the application-modal dialog (bug 613785)
Depends on: 613785
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Comment 6•6 years ago
|
||
cleaning per dupe
is anyone who achieved this? iframe with evil web site can not reproduce the bug. there is my code <iframe src='http://10.10.99.36:8000/116.html' width="0" height="0" scrolling="no"> </iframe> if anyone who achieved this, please tell me . thanks in advance!
Flags: needinfo?(hell_test)
You need to log in
before you can comment on or make changes to this bug.
Description
•