Slashdot Mirror
Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com)
Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.
I have a firefox with standard adblock, anti tracking et al installed on pretty much all machines I administer. I got a panicked call from my mother, who runs one such machine primarily as her "youtube kittens and women magazines internet thingy" when she got stuck on one such site. No idea how she got there, but it seemed to manage to bypass the blockers I have on that machine. It happened about a month ago.
My guess is that she followed a bad link on social media or something like that to a new site that wasn't on blacklist just yet. The easiest way out that I could figure over the phone was to literally hard crash the browser through process manager, and then tell browser on restart not to resume the session. There didn't seem to be any easy way out that I could quickly figure out over the phone otherwise. It just locked the browser to that malicious page.
What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.
Chaos - everything, everywhere, everywhen