Hostile site causes browser to use huge amounts of memory and stall out entire Linux machine
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: nagle, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
533.19 KB,
image/png
|
Details |
Screenshot from a retry before the site was able to spawn too much
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce:
Ad code generated popup for https://hotfriend4.ml/call-now2/
Actual results:
This was enough to lock up a Ubuntu Linux machine (16.04 LTS) due to many gigabytes of memory consumption and swap thrashing. First time I've seen a hostile site able to do this to Firefox on Linux.
Forks off many content processes, about 16 of them. Saw that with "ps ax" But no screenshot of that; system was too overloaded to take a screenshot or copy/paste text.
Obviously a hostile site. See screenshot. If you don't "enter a password", but keep closing the fake "authentication" popup, it starts consuming vast amounts of resources to overload the target machine. It's clearly aimed at Windows users, from the screenshot. It may be able to do more damage over there.
Clicking the close button on Firefox's main window had no effect. Finally managed to do a "kill" on Firefox, and all the Firefox processes exited.
Expected results:
At some point Firestorm should limit its resource usage.
|
Reporter | |
Comment 1•6 years ago
|
||
Spawns Firefox processes like this:
22717 ? Sl 0:03 /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 6312 -prefMapSize 179444 -parentBuildID 20190327091122 -greomni /usr/lib/firefox/omni.ja -appomni /usr/l
22785 ? Sl 0:04 /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 6312 -prefMapSize 179444 -parentBuildID 20190327091122 -greomni /usr/lib/firefox/omni.ja -appomni /usr/l
22826 ? Sl 0:12 /usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 6312 -prefMapSize 179444 -parentBuildID 20190327091122 -greomni /usr/lib/firefox/omni.ja -appomni /usr/l
23064 ? Sl 0:04 /usr/lib/firefox/firefox -contentproc -childID 9 -isForBrowser -prefsLen 6694 -prefMapSize 179444 -parentBuildID 20190327091122 -greomni /usr/lib/firefox/omni.ja -appomni /usr/l
Once this site has activated, the Firefox window close button no longer works. Only "kill" from a command window will stop it.
|
||
Comment 2•6 years ago
|
||
Thanks John for the report. This indeed looks scary. Unfortunately, from what I know, these type of scam sites/ads are quickly shut down or they change the address, so probably in matter of hours it won't be available for testing.
However, it would be really useful to know how to choke OS resources in that matter. Mike, do you think we have anything actionable here or if there is a specific component where we track these kind of issues?
|
|
Reporter | |
Comment 3•6 years ago
|
||
Yes, the attack site is gone from that domain. But it's probably still around elsewhere and could be found.
It's striking that this was able to completely overload a Linux machine. That's unusual from the Firefox level. Some resource within Firefox needs to be throttled. Firefox should never consume so much memory that the VM system thrashes.
|
||
Comment 4•6 years ago
|
||
Looks like an eviltrap to me.
|
||
Comment 5•6 years ago
|
||
Yes, that's a classic evil trap. Unfortunately, the source of the website seems gone and we rate-limited the basic auth dialog in bug 377496, so I'm not sure there's anything this bug can tell us.
Description
•