Web page opens seemingly infinite number of instances of mail client ("Last Measure", GNAA)

RESOLVED DUPLICATE of bug 167475

Status

()

--
critical
RESOLVED DUPLICATE of bug 167475
13 years ago
9 months ago

People

(Reporter: sean.fao, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 2 bugs)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

I did a quick search, but I'm rather uneducated on the subject so it's quite possible that this is a duplicate.  I apologize ahead of time if it is.

At any rate, the mirrors in the link posted above SHOUT NOT BE CLICKED.  They're being spread around Slashdot and digg (probably others, as well) in an attempt to trick users into clicking them.  Once clicked, Firefox automatically attempts to open a seemingly infinite number of instances of Outlook Express while blasting "I'm looking at gay porn" in the background along with extremely awful pictures.

Reproducible: Always

Steps to Reproduce:
Click any of the links in the mirror site above.  DO NOT CLICK THE LINK UNLESS YOU KNOW WHAT YOU'RE DOING.

Actual Results:  
A lot of very disturbing pictures came up on the screen and Firefox attempted open a seemingly infinite number of instances of Outlook Express, which made it very difficult to get the situation back under control.

Expected Results:  
There isn't much you can do about protecting users from obscene images, but I really hope there is something that can be done to hinder the attempted DOS attack that prohibits you from closing anything.

about:buildconfig

Build platform
target
i586-pc-msvc

Build tools
Compiler 	Version 	Compiler flags
$(CYGWIN_WRAPPER) cl 	12.00.8804 	-TC -nologo -W3 -Gy -Fd$(PDBFILE)
$(CYGWIN_WRAPPER) cl 	12.00.8804 	-TP -nologo -W3 -Gy -Fd$(PDBFILE)

Configure arguments
--enable-application=browser --enable-update-channel=release --enable-optimize --disable-debug --disable-tests --enable-static --disable-shared --enable-official-branding --enable-svg --enable-canvas --enable-update-packaging
Created attachment 218772 [details]
Source of one site (w/out images or flash)
Most of the sites listed at lastmeasure appear to be down. Captured one, though, and attached it.

Outlook Express must be your default mail client. This thing creates a bunch divs with the src being news: and mailto: urls. The divs are created in groups by a setTimeout that calls itself, so there will indeed be an infinite number of them.

external protocol handlers really don't make sense for divs/iframes/img etc. We probably have a bug on stopping them, in fact.  If we did, though, there are probably other ways to do the same thing (sending click events to plain links?)
Group: security

Comment 3

13 years ago
I think it would make sense to do the following:

* Subject external-protocol URL loads and helper app loads to the same restrcitions as popup windows.

* Limit the number of (non-whitelisted) popups per user action to 1-3, so a single click can't be used as an excuse to open a hundred popups or OE windows.

I couldn't find a bug about restricting helper app and external protocol handlers so <iframe src> doesn't trigger them.

As for "HEY EVERYBODY I'M LOOKING AT GAY PORN", it might be possible to work around that with an *option* for disabling sound (bug 24418), limiting sound volume (bug 333208), or disabling sound in non-foreground windows and tabs.  But let's not make that the focus of this bug, since (a) it would be really hard to implement, (b) helper apps would defeat it, (c) it would have to be an option and wouldn't protect most people from these shock sites, and (d) fixing that wouldn't fix the annoying DoS.

I changed the URL from http://lastmeasure.com/mirrors.php to http://en.wikipedia.org/wiki/Last_Measure, so people looking at this bug report are less likely to fall victim.
Summary: Please Protect Us From GNAA → Web page opens seemingly infinite number of instances of Outlook Express

Comment 4

13 years ago
> I couldn't find a bug about restricting helper app and external protocol
> handlers so <iframe src> doesn't trigger them.

Found it: bug 167475.
Depends on: 167475

Updated

13 years ago
Depends on: 334987

Updated

13 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 5

13 years ago
*** Bug 337630 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Depends on: 213280
Fwiw, bug 229168 is where we're tracking all these issues...

Updated

13 years ago
Component: Safe Browsing → General
QA Contact: safe.browsing → general
*** Bug 291847 has been marked as a duplicate of this bug. ***
*** Bug 341140 has been marked as a duplicate of this bug. ***
Depends on: 181860
*** Bug 342785 has been marked as a duplicate of this bug. ***
I feel this on GNU/Linux, so it's not just Windows. This seems like a security bug. Someone please change that, I can't. I also can't change the OS and it happens not just on Windows....

Updated

12 years ago
Whiteboard: [sg:dos]
Last_Measure/GNAA is definitely not limited to windows.
OS: Windows XP → All
Hardware: PC → All
Summary: Web page opens seemingly infinite number of instances of Outlook Express → Web page opens seemingly infinite number of instances of mail client

Updated

12 years ago
Blocks: 356638

Comment 12

12 years ago
Bug 356638 describes a new version of Last Measure that not only opens mailto: URLs, but also uses other external protocols.   For me, this caused both Mail and Thunderbird to open, and also caused unknown-protocol error dialogs and unused-protocols security dialogs.

Comment 13

12 years ago
I guess, the root of evil is bug 167475.
Summary: Web page opens seemingly infinite number of instances of mail client → Web page opens seemingly infinite number of instances of mail client ("Last Measure", GNAA)
Blocks: 349392

Updated

9 years ago
Blocks: 432687
Duplicate of this bug: 1312145

Updated

2 years ago
Duplicate of this bug: 1313824
Seems like a duplicate.
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 167475
You need to log in before you can comment on or make changes to this bug.