Closed Bug 1439157 Opened 7 years ago Closed 7 years ago

Web site login feature permits un-closeable pop-up windows [spam exploit]

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 377496

People

(Reporter: champagne7, Unassigned)

Details

Attachments

(3 files)

Web shortcut + page content (with javascript login exploit that affects Firefox)
252.89 KB, application/x-zip-compressed
Details
Page content sample
24.45 KB, image/png
Details
Login window sample
8.86 KB, image/png
Details
Summary: For at least a year now, a malicious hacker has been installing hostile scripts on thousands of vulnerable web sites, which generate an un-closeable pop-up window by continuously prompting for login credentials. Currently working example URL: http://in-fact.tk/?number=800-758-2761 Notes: 1) The malicious server presents targeted threats based on user-agent string 2) Server will display innocent content if a valid phone number is not supplied 3) Chrome & Safari are not affected by the "recurring login" exploit 4) Images & web archive files are attached here in case the site goes down
Attached image Page content sample
Attached image Login window sample
Component - Core | Networking: HTTP
Component: General → Untriaged
Summary: Web site login feature permits un-closeable pop-up windows → Web site login feature permits un-closeable pop-up windows [spam exploit]
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
So, what the page is doing is it has this code at the end <script>window.location.reload();</script> This is causing it to reload each time you hit cancel on the login popup, which causes the page to load again and show the popup. I'm really not sure how we'd go about fixing this.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
bug 1312243 fixed this only partially, there is a counter bound to the top level inner window id [1] which changes on every reload. so location.reload() resets that. I think the way to fix this is to introduce a permission for tld+1 and subdomains that will switch to "disallow" but let user override one time when the number of canceled consecutive auth dialogs reaches some number (3 - 4) for a browser tab/tld+1 combo. [1] https://bugzilla.mozilla.org/attachment.cgi?id=8819273&action=diff#a/netwerk/protocol/http/HttpChannelChild.cpp_sec3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: