Closed Bug 1412003 Opened 4 years ago Closed 4 years ago

Malicious website makes closing tab hard using prompts


(Core :: DOM: Core & HTML, defect)

56 Branch
Not set





(Reporter: r870767, Unassigned)



(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20170926190823

Steps to reproduce:

I used Firefox 56 on Windows 10. Browsed 'shady' websites, got redirected to the url below. It's a malware site, be careful when opening it.


Replace DOOOT with the character '.'

Actual results:

Several prompts kept popping up (initially one), that prevented me from closing the tab or window. Most noticeably an authentication prompt and prompts about resending form info.

The interesting part is here, that I couldn't close the tab or window any more even while holding down ESC. In my original browser session I couldn't do anything useful anymore, no other GUI element or shortcut of firefox could be used and I had the ctrl+alt+del kill Firefox. When I tried it with a clean Firefox profile it was slightly less horrible, I couldn't close the tab easily either, only using advanced methods like through about:performance if I opened that beforehand.

When reproducing, in order to get 'trapped' just use Esc or cancel on a few prompts.

Expected results:

I should be able to close the tab/window, not matter what the malicious website does.

Either offer me an option to prevent more prompts from opening, or (preferably) make Firefox's GUI elements e.g. in the tab-bar usable even when a prompt pops up.
Attached image Screenshot 1
Attached image screenshot 2
Blocks: eviltraps
Severity: normal → critical
Component: Untriaged → DOM: Security
Product: Firefox → Core
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → All
Has Regression Range: --- → irrelevant
Has STR: --- → yes
Some tip to get out of this loop is to cancel Firefox confirmation prompt, next while pressing Esc, pressing close button on affected website page.
Component: DOM: Security → DOM
Too late to do anything here for 56 and likely too late for 57.  I don't think we need to track this issue but can leave it to the DOM team to triage.
Without looking at the testcase, I think this is basically bug 1412559 and bug 1312243 (I thought we had another bug on file for repeated auth prompts, which can still happen somehow) and a similar bug on the eviltraps tracker that's about using fullscreen that I don't have to hand right now. Not sure if it's worth keeping this open separately.

I think it's unlikely we will make any meaningful progress in this domain area unless we dedicate some significant chunk of engineering time doing the tedious work of closing off a number of the different approaches people are using here. We've tried to address individual parts of the problem in the past, but attackers are just switching tactics to using other prompts / navigation tricks to accomplish the same general aim (forcing you to stay on the page). Without a coordinated approach, this is whack-a-mole at its finest.

Dan, who can coordinate something here? I'm happy to help with the engineering side of things, but I currently can't justify spending significant time on the problem.
Flags: needinfo?(dveditz)
So, let's dupe this to bug #1412559, as there is patch already there and same issue.
No longer blocks: eviltraps
Has Regression Range: irrelevant → ---
Has STR: yes → ---
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1412559
Flags: needinfo?(dveditz)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.