Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.

bleepingcomputer -again-?

I mean, if I wanted a bleepingcomputer RSS subscription I'd get one..

I just don't need downloads to auto-initiate

[ScentCone]

I've never seen the value of a page being able to spawn a download dialog without an affirmative click on a download link to the resource being fetched. Not that dumb people will be saved from themselves if there's something to click on ("Oh! It says to click on this - I guess I better click on it!"), but the "if your download doesn't start automatically, click here" language always seemed unnecessary. Perhaps I'm missing something on why a cruise-control file download should ever be supported?

Re:I just don't need downloads to auto-initiate

[smooth+wombat]

Perhaps I'm missing something on why a cruise-control file download should ever be supported?

Don't you know? It saves time! Having to move your mouse cursor a few inches here or there to click OK to begin a download is too time consuming. Think of all the time you waste every day having to manually click an acceptance button when you want to download a file.

This is the future, old man. Auto download, whether you like it or not. You'll take this file if it has to be shoved down your throat.

Re:I just don't need downloads to auto-initiate

Perhaps I'm missing something on why a cruise-control file download should ever be supported?

It's quite simple, and quite stupid.

Everyone wants to streamline the user experience so much so as to avoid confusing users with things like downloading and installing.

So, as a result, everyone takes out the sensible controls which would otherwise prevent this shit, and things just happen automatically.

Microsoft has been leading the charge of this stupidity for a long time now -- from hiding extensions, to deciding that Outlook would be helpful and run any scripts it finds, to the auto-run shit on CDs that Sony used to install rootkits.

Increasingly, browsers are getting stupid and just say "hey, there's a script and some arbitrary code I know nothing about, let me just run that for you", so they create these issues themselves. No, sorry, I don't see the benefit in letting the dozens of embedded sites run code on my machine, because it's mostly just ads, analytics, trackers, and malware.

The problem is if you don't have the knowledge to block this shit, it happens without your knowing it, and often to very bad outcomes. And, since the internet has become (even more of ) a steaming swamp of bad actors, then things like browsers just rush ahead and keep doing the same stupid shit.

It's time to have browsers and other internet aware things be saying "why the fuck would I let you run scripts since I don't know who you are". But every time someone tries that, the ad companies screech and howl that their business model is in jeopardy. I don't fucking care about your business model, and since you're an ad company you can kiss my ass and fuck off.

If you want to know why this stuff happens, it's because browsers try to dumb down the experience to the point that you have no idea you've just allowed 15 external sites to run scripts and whatever else they want.

Re:I just don't need downloads to auto-initiate

Because in the time it takes to click OK, plus select a location, you could have transfered some data. It was meant as an optimization. Why in the hell browsers extract archives or do ANYTHING with them, is the real WTF here.

Zipbombs are nothing new, they've been around since BBS's.

Re:I just don't need downloads to auto-initiate

Unfortunately because this was a JS feature it is now used by so many pages that half the web would stop working if it were disabled.

Therefore disabling the feature is not an option.

Noscript and similar functionality should honestly be built in to all browsers. The idea of allowing anyone to run code on your machine is completely and absolutely insane in every way. It doesn't matter if that code is a native binary or JS.

Re:I just don't need downloads to auto-initiate

... and now the biggest ad company makes the biggest browser.

Re: I just don't need downloads to auto-initiate

Funny u take a jab at Microsoft yet their browsers arenâ(TM)t in the list of affected

Re: I just don't need downloads to auto-initiate

Hosting sites like source forge seem to have a link that looks like it downloads a file, but it actually goes to a page with an auto start download. They use it to obscure the actual file url and to put up an additional page of ads while you download.

Re:I just don't need downloads to auto-initiate

[thegarbz]

Don't you know? It saves time!

Really? Because the only pages that seem to auto-download anything do so with "Your download will begin shortly" followed by an advert.

Re:I just don't need downloads to auto-initiate

[The+MAZZTer]

Well, the problem is some sites are configured such that an affirmative click would not be possible. This is mostly related to site which implement hotlink blocking.

For example, let's say I don't want people hotlinking my downloads so I require the user to load a landing page first so they see they are on my site, and I am providing them with the file. When the page loads, I generate a unique download url for them that will only work once, so hotlinking is not possible. Then the page will redirect them to the link so they get their download.

In your scenario, the browser would be redirected to the file, but then drop the connection once it sees its a file (you don't want to start downloading, after all) and asks the user if they really want to save it, providing the .EXE or .ZIP or whatever file name. Once you hit save the browser repeats its request, but now the server sees you are reusing a link and the hotlink block kicks in, and the browser downloads an error page to an .EXE or .ZIP name. Not very useful.

Lots of free file hosting sites use this model so it's important browsers support it for users who use those sites.

The current method Chrome uses, the file quietly downloads to your Downloads folder in the background while the user makes their choice. If they deny the download, the download is aborted and the file deleted. If it is accepted the download simply keeps going, having gotten a head start.

Chrome will block multiple file downloads from a single user interaction outright. So it sounds like this is just a bug with that functionality failing to handle this extreme case. There is no need to break websites over it.

Re:I just don't need downloads to auto-initiate

Noscript and similar functionality should honestly be built in to all browsers. The idea of allowing anyone to run code on your machine is completely and absolutely insane in every way. It doesn't matter if that code is a native binary or JS.

IMNSHO, there is a lot of js that is quite safe, and many sites are useless without some these days. Noscript can help, but it's too heavy handed and domain specific for me to recommend to normal people, like my mom.

What I would love to see, and I'm amazed it hasn't materialized after all these years of people attempting to work around these issues, is a plugin that would:
* have a toggle to do noscript style blocking on external resources (ie. allow scripts to run from this site, but prompt for any external scripts). This used to be an option in the normal browser options, along with load pictures from external resources.
* allow building a profile of js functions that are allowed per domain, and a way to build profiles of those.
* allow wrapping specific js functions to replace them with custom code, per domain, and also a way to build profiles of those.

The plugin would then ship with some standard profiles, and I strongly suspect it would take care of a lot of the issues.
For example, window.open... wrap that thing up, and pop in a check to see if that site is allowed to do that, and prompt or block depending on the site setting. This is more-or-less already implemented via the popup blocking in browsers, but if they allowed users to hook into this themselves, I think that'd be even better.
Another example, ajax calls (xmlhttprequest and friends), and window.location.href, etc etc. There's a short-ish list of js methods that can do potentially bad things. There could (I think easily) be a "safe" profile that would enable javascript for a given domain/site, but keep a bunch of methods wrapped up and mostly blocked. That would allow users to browse fairly normally on almost all sites, and just have to add some exceptions here and there for trusted sites.

As a nice side-effect, that would also provide a means to block some of the rowhammer style attacks, as one could inject random delays into some key methods.

If there is such a feature/plugin/etc out there, I'd like to know about it. I think there are ways of doing this already, perhaps via greesemonkey, but I don't know of any that are designed for this purpose and thus make it manageable.

Re:I just don't need downloads to auto-initiate

[Eravnrekaree]

They don't really *need* scripts to throw up an ad. A flat JPG would do perfectly fine. I'd be perfectly find with JPG ads and have defended these, but the scripts, the video garbage, i've lost my tolerance for it. The websites are ramming down all of these 100% CPU scripts and bandwidth hogging video down peoples throats and then they act surprised and so hurt when people install an ad blocker. It really pisses me off.

Re:I just don't need downloads to auto-initiate

[another_twilight]

You might want to look at uMatrix (link for Chrome version). It does some of what you want (site specific handling of calls to different resources with a default that blocks external resources), but I don't think it allows you to substitute your own code.

Probably my 'if you had to use just one ...' extension.

Re:I just don't need downloads to auto-initiate

uMatrix solves this. No scripts get run unless I explicitly allow them.

Re:I just don't need downloads to auto-initiate

[pots]

Microsoft has been leading the charge of this stupidity for a long time now

Now, let's be fair: Microsoft is pretty late to the party on this. Removing or hiding options from users is very much an Apple thing.

Attack of the clones

[DarkRookie]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Re:Attack of the clones

Otherwise known as "chrones"

Re:Attack of the clones

[Oswald+McWeany]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Regardless, I'm sure all 10 people who use Brave are worried about this development.

Re:Attack of the clones

[war4peace]

They're all cowards.

Re:Attack of the clones

[CaptainDork]

As each browser tries to grab market share, we experience the game of chromes.

When asked which browsers do this, we reply, "Chrome is some."

Re:Attack of the clones

[TheFakeTimCook]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

But you will note that Safari isn't on the list; so WebKit must not be affected.

Re:Attack of the clones

Happened to me yesterday on safari, slowed mac down to a crawl and downloaded over 450 files in the default download folder before i could force quit safari.

Re:Attack of the clones

[Cro+Magnon]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Regardless, I'm sure all 10 people who use Brave are worried about this development.

Yeah, both of them, assuming you're using binary.

Re:Attack of the clones

Firefox and Vivaldi aren't Chrome clones. Firefox is a completely separate browser and Vivaldi is highly modified and only uses the same rendering core.

Re:Attack of the clones

Overheard....

"Nope, looks like Safari is good."
"That's on a phone though, try it on an Apple computer."
"...Umm.....you mean like an iPad?"
"No an actual Apple computer... you know.... a Mac."
"....wait....they still make those?"
"Errr....I think so, let me check...... nope looks like you're right, I found some pages on Apple's website, but they haven't been updated since 2012. So yeah... don't bother."

Yup, I've seen this.

[lasermike026]

The web and browsers have gone mad. I like turning off javascript just to have a simple web experience.

Re:Yup, I've seen this.

[mujadaddy]

I keep all cookies off (* scope uMatrix), and all 3rd-party everything-else off as well. It's better. If you keep all 1st-party JS off, most sites are utterly blank. At least when you allow the domain to do what it's trying to, you get a good value measure of whether the content is worth seeing, before you need to decide to check from where they want their 3rd-party scripts.

Usually, though, I find there's nothing under the js-clusterfuck. Noise > Signal.

Freeze the browser?

[PPH]

What is xkill?

Re:Freeze the browser?

Looks like it's somebody's nap time.

Re:Freeze the browser?

[PPH]

I'd guess that most Windows users know what the equivalent utility is on their platform.

Re:Freeze the browser?

Most?

Re:Freeze the browser?

[CaptainDork]

Smugness is not an endearing personality trait.

Close your eyes and read that very slowly.

Re:Freeze the browser?

I'd guess that most Windows users know what the equivalent utility is on their platform.

Then you would lose that bet.

There is no way in hell that 'most Windows users' are aware of things for killing processes. Not by a long shot.

Re:Freeze the browser?

its that cli command you can't reach because you can't reach a terminal to run it 5000 times to close each browser window because the browser windows are in the way. ya know.

Re:Freeze the browser?

[DontBeAMoran]

There is no way in hell that 'most Windows users' are aware of things like processes. Not by a long shot.

Fixed that for you.

"Most Windows users" still think the "blue e icon" means "the Internet". And yes, they think the Web is the Internet.

Re: Freeze the browser?

??????????. Well we know you aren't a geek.

Re:Freeze the browser?

[PPH]

There is no way in hell that 'most Windows users'

Then they aren't actually running Windows. They are staring at a bunch of hung apps. If you can't find the process manager in your sleep, you haven't actually logged in to a Windows machine.

Re:Freeze the browser?

The might know it as Ctrl-Alt-Del.

Re:Freeze the browser?

There is no way in hell that 'most Windows users'

Then they aren't actually running Windows. They are staring at a bunch of hung apps. If you can't find the process manager in your sleep, you haven't actually logged in to a Windows machine.

Walk up to a receptionist and ask her. Or your mom.

Millions of people every day user computers without necessarily having that little tidbit of knowledge.

Re:Freeze the browser?

Well, it isn't a solution to this problem, so why bring it up?

A real solution would stop the browser freezing.

But not Edge?

[Kenja]

Or do people just not care enough to exploit it on Microsofts browser?

Re:But not Edge?

[bobdehnhardt]

Things that cause Edge to run poorly would be redundant.

Re:But not Edge?

[thegarbz]

Why write an exploit for a system with no users?

Re:But not Edge?

[CaptainDork]

Your's is the best post.

As I was reading all the bullshit here, including my stuff, Edge never entered my mind.

Wonder why that is?

I'm a retired IT guy and family members occasionally ask, "In Chrome, how do I ..." or, "Is there a Firefox extension that ..."

But never Edge.

Re:But not Edge?

[Locke2005]

Edge is currently the world's most popular browser to use for downloading Google Chrome! So basically, for every new Windows installation, it gets used once!

Re:But not Edge?

funny, but kinda lame also given Edge is currently king when it comes to speed (I still hate it though).

Re:But not Edge?

[gravewax]

then explain Firefox being on the list?

Re:But not Edge?

[thegarbz]

Nostalgia.

Not ...

[cascadingstylesheet]

... Palemoon?

FQ = end

Force Quit works every time.

Re:FQ = end

Or either pull the power plug or the network cable should work as well.

Re:Attack of the clones Safari yes

Safari is now on list as of two minutes ago.

"Download bomb", indeed?

[Rick+Schumann]

Website uses Download Bomb; it's super-effective!

Me: "WTF? What's your problem, Firefox?" Opens Task Manager, Ends Task on Firefox, re-launch Firefox; same thing happens on the same page. "Hmm, must be a fucked-up webpage, guess I won't go there." End Taks on Firefox again, re-launch again. Close the tab before it loads, go on to something else.

..where's the problem? People actually fall for this nonsense? Pathetic.

Re:"Download bomb", indeed?

..where's the problem? People actually fall for this nonsense? Pathetic.

By which you mean the vast numbers of people who know little about computers and can't recognise and prevent this stuff?

My mother, for instance, is in her late 70s. She can use the computer for email and banking, but otherwise would know nothing about killing tasks, script blockers, or any of that stuff.

It has been true for a very long time now that far more users of computers aren't really that knowledgeable about the inner workings of them.

I've focused on teaching my mother how to avoid the scams and spams and other shit, but no way I'm going to even try to teach her how to end tasks.

The companies who make browsers need to focus on making them more secure and safer for users, not adding more and more plugins and other crap which runs automatically and mostly just serves ads and malware.

The web needs to be far more locked down, because right now, browsers are functioning as complete idiots who will run anything. And it needs to be done in a way such that normal humans don't need to be internet security experts to safely browse the web.

Instead we just see more things like native binaries being embedded into browsers that just run code from anywhere like cheap whores.

Of course, Chrome will be incapable of anything like this, because it's made by a fucking ad company.

Re:"Download bomb", indeed?

"WTF? What's your problem, Firefox?" Opens Task Manager, Ends Task on Firefox, re-launch Firefox; same thing happens on the same page. "Hmm, must be a fucked-up webpage, guess I won't go there." End Tasks on Firefox again, re-launch again. Close the tab before it loads, go on to something else. ...where's the problem?

The problem?

1) can't close the tab in time (unless you are running a very slow connection) must shut down internet connection, reload browser, close tab, enable internet, reload browser.

2) "Hmm, must be a fucked-up webpage" No kidding Sherlock, the "your computer is infected with a virus and had been locked, you must call xxxxxxxxx immediately to fix this" didn't give you a clue? Bing seems to be by far the worst at linking you to these ("sponsored") sites.

Bottom line: there is no !@#%$& excuse for any browser allowing itself to be locked by a web site. Close a tab should always work. And a option to only play media files when the user clicks a play icon, maybe an option to let JS to run.

Shady

[duke_cheetah2003]

I love how the summary makes liberal usage of my favorite word to describe unscrupulous entities.

SHADY AS FUCK!

Sometimes it works

[Locke2005]

I had to explain to my ex, "No, you don't call the phone number and give them your credit card number, you hit Ctrl-Alt-Delete, bring up Task Manager, and kill the browser process(es), idiot!" Of course, that assume the victim is running Windows (fairly safe assumption).

Re:Sometimes it works

It is Ctrl-Shift-Esc for the task manager, what Ctrl-Alt-Delete does varies.

No. You're the problem.

Good. Not everyone SHOULD be using it. Best tool for the job and all. Personality traits are irrelevant, to wit: yours.

You just proved you're a SOYBoy (lol) then

See subject SOYBoy (rotflmao) in your UNIDENTIFIABLE anonymous "courageous" trolling you "not man" - LMAO!

(You know - I understand your SOYMilk & Bisphenol A "notman" SOYBoy formulas have addled your brains but that takes the cake for "illogic logic" from "your kind", lol!)

* These posts making you get all "triggered" when you see your addled thinking fools nobody but your sick in the head chemically NEUTERED (lol) selves, lmao!

APK

P.S.=> Classic - one for my bookmarks... apk

Zontar stalks me via sockpuppets (druggie loon)

Going to make more sockpuppets to stalk & troll me with you LITERALLY ADMITTED loon https://slashdot.org/comments.... + sending me postcards w/ threats too https://slashdot.org/comments.... you little STALKING whacko??

Zontar, take your meds you ADMITTED mentalcase https://slashdot.org/comments....

&

You're also a druggie too https://slashdot.org/comments....

* You're a butthurt loon freak, plain & simple - you did it to yourself, loser... see below for proof.

APK

P.S.=> Still trying to live down how I shot you to pieces in the art & science of computing Mr. Butthurt https://slashdot.org/comments.... ?

How about proving hosts & my program that builds them are useless too https://slashdot.org/comments.... ? ... apk

Zontar starts w/ me I finish it (see ps)

Zontar you = a self-admitted loon https://slashdot.org/comments.... !

You make sockpuppets https://slashdot.org/comments.... to troll me with (effete & weak like you Sweden soyboy letting your women be raped by muslims)

&

You blow your easily nullified 'downmodpoints' on me ADMITTEDLY https://slashdot.org/comments.... when you can't prove what I post on hosts files is wrong + You obviously SELF-UPMOD YOURSELF via sockpuppets you make (TrollingForHostsFiles, proof in 2nd link above)!

+

You send me postcards with threats in them too whacko https://slashdot.org/comments.... ?

* LAYOFF THE DRUGS https://slashdot.org/comments.... [slashdot.org] UBI soyboy!

APK

P.S.=> Don't start up w/ me 1st Zontar https://slashdot.org/comments.... ... apk

Registered /.ers review of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Best part's Linux 64-bit model's faster/more efficient (2x work in 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk

Fatass virgin is loon)

Yawn, same old malware lies from APK, poor snowflake gets all triggered, LMAO.

Fuck you you stalking little cunt... apk

See my subject: You're DAMN RIGHT I'd kick YOUR FUCKING ASS for stalking & harassing me you unidentifiable little cowardly cunt - tell me your REAL name, address, & phone # so I can verify it's REALLY you & we can settle this once & for all, fucker...

APK

P.S.=> Everyone SEES you constantly stalking & harassing me bitch, so WHO ARE YOU FOOLING but yourself - & IF I ever get to you? You'll WISH you were dead cocksucker... I shit you not! apk

Time to see you SQUIRM "lil' JOWIE" (lol)

Time to see you SQUIRM "lil' JOWIE" (lol) YES or NO here "JOWIE" (hahaha) https://news.slashdot.org/comm...

* Yes, I know that others WILL agree it's FUN to see "Jealous JOWIES" that STALK ME by UNIDENTIFIABLE anonymous posts SQUIRM!

(Like the WORMS you are beneath MY BOOT!)

Toxic?

Freak - get a clue - you're f'ing STALKING me HIDING in fear of me too behind UNIDENTIFIABLE anonymous posts (worms like you HAVE to fear guys like me & yes, that IS fear, you hiding).

APK

P.S.=> Every SINGLE time you give me SUCH A LAUGH as I box you into THIS VERY CORNER & you SQUIRM, worm, hahahaha... apk

LOL! MOMMY HELP ME (golden wine)... apk

Hohohohoho see the CLASSIC proof of that here soyboys as you DRINK the golden wine https://news.slashdot.org/comm... straight from MY tap (of GOLDEN piss), all natural ingredients, naturally filtered (of ME pissing right into your shitbag mouths & funniest part is, you help me DO it - you LIKE it, lol!).

Do you LIKE the taste? Obviously yes - just like folks like my hosts engine, anything I put out, even piss, is GOOD (unlike "your kind").

Above all else though? Hey - MOMMY LOVES YOU!

APK

P.S.=> Hahahahaha (I think this is the BEST overall letting you SHEMALE soyboys destroy yourselves for GOLD (ask SuckerBERG about that - he's the expert as is all his kind are - heading into ZylonB & Furnace time again judging by what's happening - the PRICE of it is that, always, they don't learn)... apk

Browsers suck

[DMJC]

I have a new computer running Linux and it'll quite often lock up when running Chrome. It only happens in Chrome. Such a crap browser, but I still prefer the web experience slightly more than Firefox so I live with the pain. Thank god for SSDs running at 1800mb/s.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Best protection = BEST ad (& more) blocker

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).

Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).

* ONLY 1 of its kind in GUI on Linux!

Better vs. Windows model in speed/efficiency/merge.

APK

P.S.=> See subject & "Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker" https://blog.malwarebytes.com/...

Registered /.ers review of the Win64 model

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Best part = Linux 64-bit model's faster/more efficient (2x work in 1/2 the time)

APK

P.S.=> For a faster/safer/more reliable internet... apk