Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.

I just don't need downloads to auto-initiate

[ScentCone]

I've never seen the value of a page being able to spawn a download dialog without an affirmative click on a download link to the resource being fetched. Not that dumb people will be saved from themselves if there's something to click on ("Oh! It says to click on this - I guess I better click on it!"), but the "if your download doesn't start automatically, click here" language always seemed unnecessary. Perhaps I'm missing something on why a cruise-control file download should ever be supported?

Re:I just don't need downloads to auto-initiate

Perhaps I'm missing something on why a cruise-control file download should ever be supported?

It's quite simple, and quite stupid.

Everyone wants to streamline the user experience so much so as to avoid confusing users with things like downloading and installing.

So, as a result, everyone takes out the sensible controls which would otherwise prevent this shit, and things just happen automatically.

Microsoft has been leading the charge of this stupidity for a long time now -- from hiding extensions, to deciding that Outlook would be helpful and run any scripts it finds, to the auto-run shit on CDs that Sony used to install rootkits.

Increasingly, browsers are getting stupid and just say "hey, there's a script and some arbitrary code I know nothing about, let me just run that for you", so they create these issues themselves. No, sorry, I don't see the benefit in letting the dozens of embedded sites run code on my machine, because it's mostly just ads, analytics, trackers, and malware.

The problem is if you don't have the knowledge to block this shit, it happens without your knowing it, and often to very bad outcomes. And, since the internet has become (even more of ) a steaming swamp of bad actors, then things like browsers just rush ahead and keep doing the same stupid shit.

It's time to have browsers and other internet aware things be saying "why the fuck would I let you run scripts since I don't know who you are". But every time someone tries that, the ad companies screech and howl that their business model is in jeopardy. I don't fucking care about your business model, and since you're an ad company you can kiss my ass and fuck off.

If you want to know why this stuff happens, it's because browsers try to dumb down the experience to the point that you have no idea you've just allowed 15 external sites to run scripts and whatever else they want.