Download Bomb Trick Returns in Chrome -- Also Affects Firefox, Opera, Vivaldi and Brave

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.

bleepingcomputer -again-?

I mean, if I wanted a bleepingcomputer RSS subscription I'd get one..

I just don't need downloads to auto-initiate

[ScentCone]

I've never seen the value of a page being able to spawn a download dialog without an affirmative click on a download link to the resource being fetched. Not that dumb people will be saved from themselves if there's something to click on ("Oh! It says to click on this - I guess I better click on it!"), but the "if your download doesn't start automatically, click here" language always seemed unnecessary. Perhaps I'm missing something on why a cruise-control file download should ever be supported?

Re:I just don't need downloads to auto-initiate

[smooth+wombat]

Perhaps I'm missing something on why a cruise-control file download should ever be supported?

Don't you know? It saves time! Having to move your mouse cursor a few inches here or there to click OK to begin a download is too time consuming. Think of all the time you waste every day having to manually click an acceptance button when you want to download a file.

This is the future, old man. Auto download, whether you like it or not. You'll take this file if it has to be shoved down your throat.

Re:I just don't need downloads to auto-initiate

Perhaps I'm missing something on why a cruise-control file download should ever be supported?

It's quite simple, and quite stupid.

Everyone wants to streamline the user experience so much so as to avoid confusing users with things like downloading and installing.

So, as a result, everyone takes out the sensible controls which would otherwise prevent this shit, and things just happen automatically.

Microsoft has been leading the charge of this stupidity for a long time now -- from hiding extensions, to deciding that Outlook would be helpful and run any scripts it finds, to the auto-run shit on CDs that Sony used to install rootkits.

Increasingly, browsers are getting stupid and just say "hey, there's a script and some arbitrary code I know nothing about, let me just run that for you", so they create these issues themselves. No, sorry, I don't see the benefit in letting the dozens of embedded sites run code on my machine, because it's mostly just ads, analytics, trackers, and malware.

The problem is if you don't have the knowledge to block this shit, it happens without your knowing it, and often to very bad outcomes. And, since the internet has become (even more of ) a steaming swamp of bad actors, then things like browsers just rush ahead and keep doing the same stupid shit.

It's time to have browsers and other internet aware things be saying "why the fuck would I let you run scripts since I don't know who you are". But every time someone tries that, the ad companies screech and howl that their business model is in jeopardy. I don't fucking care about your business model, and since you're an ad company you can kiss my ass and fuck off.

If you want to know why this stuff happens, it's because browsers try to dumb down the experience to the point that you have no idea you've just allowed 15 external sites to run scripts and whatever else they want.

Re:I just don't need downloads to auto-initiate

[thegarbz]

Don't you know? It saves time!

Really? Because the only pages that seem to auto-download anything do so with "Your download will begin shortly" followed by an advert.

Re:I just don't need downloads to auto-initiate

[The+MAZZTer]

Well, the problem is some sites are configured such that an affirmative click would not be possible. This is mostly related to site which implement hotlink blocking.

For example, let's say I don't want people hotlinking my downloads so I require the user to load a landing page first so they see they are on my site, and I am providing them with the file. When the page loads, I generate a unique download url for them that will only work once, so hotlinking is not possible. Then the page will redirect them to the link so they get their download.

In your scenario, the browser would be redirected to the file, but then drop the connection once it sees its a file (you don't want to start downloading, after all) and asks the user if they really want to save it, providing the .EXE or .ZIP or whatever file name. Once you hit save the browser repeats its request, but now the server sees you are reusing a link and the hotlink block kicks in, and the browser downloads an error page to an .EXE or .ZIP name. Not very useful.

Lots of free file hosting sites use this model so it's important browsers support it for users who use those sites.

The current method Chrome uses, the file quietly downloads to your Downloads folder in the background while the user makes their choice. If they deny the download, the download is aborted and the file deleted. If it is accepted the download simply keeps going, having gotten a head start.

Chrome will block multiple file downloads from a single user interaction outright. So it sounds like this is just a bug with that functionality failing to handle this extreme case. There is no need to break websites over it.

Re:I just don't need downloads to auto-initiate

[Eravnrekaree]

They don't really *need* scripts to throw up an ad. A flat JPG would do perfectly fine. I'd be perfectly find with JPG ads and have defended these, but the scripts, the video garbage, i've lost my tolerance for it. The websites are ramming down all of these 100% CPU scripts and bandwidth hogging video down peoples throats and then they act surprised and so hurt when people install an ad blocker. It really pisses me off.

Re:I just don't need downloads to auto-initiate

[another_twilight]

You might want to look at uMatrix (link for Chrome version). It does some of what you want (site specific handling of calls to different resources with a default that blocks external resources), but I don't think it allows you to substitute your own code.

Probably my 'if you had to use just one ...' extension.

Re:I just don't need downloads to auto-initiate

[pots]

Microsoft has been leading the charge of this stupidity for a long time now

Now, let's be fair: Microsoft is pretty late to the party on this. Removing or hiding options from users is very much an Apple thing.

Attack of the clones

[DarkRookie]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Re:Attack of the clones

[Oswald+McWeany]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Regardless, I'm sure all 10 people who use Brave are worried about this development.

Re:Attack of the clones

[war4peace]

They're all cowards.

Re:Attack of the clones

[CaptainDork]

As each browser tries to grab market share, we experience the game of chromes.

When asked which browsers do this, we reply, "Chrome is some."

Re:Attack of the clones

[TheFakeTimCook]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

But you will note that Safari isn't on the list; so WebKit must not be affected.

Re:Attack of the clones

[Cro+Magnon]

Not surprising that it works in those other browsers since they are all pretty much Chrome clones.

Regardless, I'm sure all 10 people who use Brave are worried about this development.

Yeah, both of them, assuming you're using binary.

Yup, I've seen this.

[lasermike026]

The web and browsers have gone mad. I like turning off javascript just to have a simple web experience.

Re:Yup, I've seen this.

[mujadaddy]

I keep all cookies off (* scope uMatrix), and all 3rd-party everything-else off as well. It's better. If you keep all 1st-party JS off, most sites are utterly blank. At least when you allow the domain to do what it's trying to, you get a good value measure of whether the content is worth seeing, before you need to decide to check from where they want their 3rd-party scripts.

Usually, though, I find there's nothing under the js-clusterfuck. Noise > Signal.

Freeze the browser?

[PPH]

What is xkill?

Re:Freeze the browser?

[PPH]

I'd guess that most Windows users know what the equivalent utility is on their platform.

Re:Freeze the browser?

[DontBeAMoran]

There is no way in hell that 'most Windows users' are aware of things like processes. Not by a long shot.

Fixed that for you.

"Most Windows users" still think the "blue e icon" means "the Internet". And yes, they think the Web is the Internet.

Re:Freeze the browser?

[PPH]

There is no way in hell that 'most Windows users'

Then they aren't actually running Windows. They are staring at a bunch of hung apps. If you can't find the process manager in your sleep, you haven't actually logged in to a Windows machine.

But not Edge?

[Kenja]

Or do people just not care enough to exploit it on Microsofts browser?

Re:But not Edge?

[bobdehnhardt]

Things that cause Edge to run poorly would be redundant.

Re:But not Edge?

[thegarbz]

Why write an exploit for a system with no users?

Re:But not Edge?

[CaptainDork]

Your's is the best post.

As I was reading all the bullshit here, including my stuff, Edge never entered my mind.

Wonder why that is?

I'm a retired IT guy and family members occasionally ask, "In Chrome, how do I ..." or, "Is there a Firefox extension that ..."

But never Edge.

Re:But not Edge?

[Locke2005]

Edge is currently the world's most popular browser to use for downloading Google Chrome! So basically, for every new Windows installation, it gets used once!

Re:But not Edge?

[gravewax]

then explain Firefox being on the list?

Re:But not Edge?

[thegarbz]

Nostalgia.

Not ...

[cascadingstylesheet]

... Palemoon?

"Download bomb", indeed?

[Rick+Schumann]

Website uses Download Bomb; it's super-effective!

Me: "WTF? What's your problem, Firefox?" Opens Task Manager, Ends Task on Firefox, re-launch Firefox; same thing happens on the same page. "Hmm, must be a fucked-up webpage, guess I won't go there." End Taks on Firefox again, re-launch again. Close the tab before it loads, go on to something else.

..where's the problem? People actually fall for this nonsense? Pathetic.

Shady

[duke_cheetah2003]

I love how the summary makes liberal usage of my favorite word to describe unscrupulous entities.

SHADY AS FUCK!

Sometimes it works

[Locke2005]

I had to explain to my ex, "No, you don't call the phone number and give them your credit card number, you hit Ctrl-Alt-Delete, bring up Task Manager, and kill the browser process(es), idiot!" Of course, that assume the victim is running Windows (fairly safe assumption).

Browsers suck

[DMJC]

I have a new computer running Linux and it'll quite often lock up when running Chrome. It only happens in Chrome. Such a crap browser, but I still prefer the web experience slightly more than Firefox so I live with the pain. Thank god for SSDs running at 1800mb/s.

Comment removed

[account_deleted]

Comment removed based on user account deletion