Closed Bug 955868 Opened 11 years ago Closed 11 years ago

Block ransomware: Limit rate of "confirm to leave" dialogs

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
26 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 636374

People

(Reporter: markus.kell.r, Unassigned)

Details

Attachments

(1 file)

source of the ransomware page (careful: traps your browser if opened as HTML)
34.13 KB, text/plain
Details 
I was surfing around and some redirect link brought me to s845340.com (IP: 176.103.48.14). That site pretends to be from our local government and bullies me into paying some ransom.

I tried to close the tab or window, but that doesn't work because the site repeatedly opens an alert dialog, followed by Firefox's "Are you sure?" dialog with the "Leave Page" and "Stay on Page" buttons. When I click "Leave Page", the same dialog is opened again and again. There is no way to get out of this loop other than killing the Firefox process.

When the user clicks "Leave Page", the page should be closed and no Javascript code should be executed any more (that's what Safari seems to do).

If you can't kill all script executions in this case, then at least fix the "Are you sure?" dialog by adding the "Prevent this page from creating additional dialogs" checkbox that is already shown in repeated alert dialogs. The user should able to escape from "Are you sure?" dialogs in the same way. When the user checks the checkbox and then clicks "Leave Page", then make sure no script code is executed any more.

Same behavior on Mac and Windows 7. Sometimes, a page with a single tab can be closed without dialogs, but as soon as there are 2 or more tabs, I didn't find an escape.
Thanks for the report, we are looking into this in bug 636374
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
(In reply to  comment #0)
> ... source of the ransomware page (careful: traps your browser if opened as HTML) ....
>  There is no way to get out of this loop other than killing the Firefox process.

Note it is trivially easy to escape this lock one mouse click and one key press does it.
Over 10000 visitors to the  Support site probably are not aware of this fact.

See also  Bug 953147 &
WARNING FBI LOCKED BROWSER!!! https://support.mozilla.org/en-US/questions/981475  for a couple of solutions
10000+ views of threads https://support.mozilla.org/en-US/questions/961803#answer-444809
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: