Closed Bug 1510933 Opened 6 years ago Closed 6 years ago

Malicious website manage to "lock" Firefox

Categories

(Toolkit :: General, defect)

Product:
Toolkit
Component:
General
Version:
63 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 613785

People

(Reporter: contact, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

WARNING: The following steps involve clicking on a link to a *malicious* website. Proceed with caution.

Steps to reproduce:
1 - go on: http://zjchwi63vo.7epa4kq09.icu/ - MALICIOUS LINK BE CAREFUL
2 - The age successfully manage to alert spam Firefox without triggering the alert spam detector.
3 - It successfully lock the user into its page unless the user can press CTRL+W / CMD+W fast enough between cancel.


Actual results:

As you can see, this malicious page exploit the fact that a login alert is handled differently than normal alert on Firefox.

Instead of proposing to stop the page from asking login again, Firefox continue to ask over and over again. It also lock the user in the page, since when a login page is open, it is impossible to go to another tab or close the current tab aside from using CTRL+W shortcut. This behavior was also reproduced on a non malicious website.


Expected results:

I have seen more and more malicious website exploit the way Firefox handle the login alert to "lock" naif user on the page.  It seem to be a design oversight and login alert should be handle the same way normal alert are: The user should be able to block them or ignore them (without it blocking Firefox on the tab).
Status: UNCONFIRMED → RESOLVED
Has STR: --- → yes
Closed: 6 years ago
Component: Untriaged → General
OS: Unspecified → All
Product: Firefox → Toolkit
Hardware: Unspecified → All
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.