Firefox Users Under Attack By 12-Year-Old Bug Exploited By Malicious Sites
A bug in Firefox that was first reported 12 years ago is still being exploited by malicious websites. The bug essentially allows a malicious site to ensnare a user by repeatedly showing them an "Authentication Required" pop-up login box. When the users tries to close the login box, a new one appears. The only way out is to close the browser.
Users have reported this flaw in Firefox several times over the years, including yesterday (Saturday), but it's never been resolved. Here's the most recent report (edited for clarity)...
"When I was browsing some site, a pop-up ad window appeared... At first I thought it is just an annoying advertising site and I went to close it," the user wrote. "However, I couldn't... At first, it opened in full-screen mode. With some fake Windows dialog (I am using Linux so I know it is fake), it tried to let me install their extensions."
He went on to state that he attempted to close the tab and browser Window, but couldn't because the dialog box was holding the browser hostage.
"I clicked the close button of the login dialog (or cancel button). Then the dialog appeared again. I clicked the 'Don't allow' button of the extension installation pop over, but it seems not clickable. I killed the Firefox process, which was the only solution for me," the user added.
Savvy users will have no trouble figuring out how to manually close Firefox even when the 'X' in the upper-right corner is accessible, but less savvy users might have a tougher time. They'd also be more prone to install a malicious extension, if a website tries to force one on them. Regardless, it's a little concerning that this bug has been known for 12 years, yet still remains.
It became a contentious issue when the person who first reported the bug resurrected the original thread last year and inquired why it had gone unfixed for what had been 11 years at the time.
"I'm not sure if the question is rhetorical or not, but while modal authentication dialogs do present a DoS vector, this is only one of many vectors with which a page can DoS the browser (with the user's only choice being to close and restart the browser). (and certainly 11 years ago it was easier still than it is today with the era of multi-process architecture)," a Firefox developer wrote.
This prompted a back-and-forth between the user who reported the issue, and one of the developers.
"As there appears to be no lead person in charge of security in your project willing to take ownership of the failure, there seems to be no reason for me to keep this issue open as it is unlikely to be fixed. I will discourage use of Firefox and Mozilla based software from use due to systemic problems in responding to security concerns," the user wrote.
The developer responded by linking the user to the Bugzilla Etiquette page, and specifically the section that says, "'Open Source' is not the same as 'the developers must do my bidding'."
"Everyone here wants to help, but no one else has any obligation to fix the bugs you want fixed," the developer wrote.