Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Sites Abuse 11-Year-Old Firefox Bug That Mozilla Failed To Fix (zdnet.com)

Posted by msmash on from the blast-from-the-past dept.

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

7 of 91 comments (clear)

  1. Re:Hmmm... by Luckyo · · Score: 4, Interesting

    I have a firefox with standard adblock, anti tracking et al installed on pretty much all machines I administer. I got a panicked call from my mother, who runs one such machine primarily as her "youtube kittens and women magazines internet thingy" when she got stuck on one such site. No idea how she got there, but it seemed to manage to bypass the blockers I have on that machine. It happened about a month ago.

    My guess is that she followed a bad link on social media or something like that to a new site that wasn't on blacklist just yet. The easiest way out that I could figure over the phone was to literally hard crash the browser through process manager, and then tell browser on restart not to resume the session. There didn't seem to be any easy way out that I could quickly figure out over the phone otherwise. It just locked the browser to that malicious page.

  2. bad by TRRosen · · Score: 4, Funny

    This is bad news for Firefox users. Both of them.

  3. They may be open source.. However.. by auzy · · Score: 5, Insightful

    The CEO at Mozilla now seems to get paid over $800K per year.

    I lost all respect when the CEO sent out an email absolutely begging for money to help the company survive, whilst they themselves could hire 10 full time employees with that money and still live comfortably. Management at Mozilla is begging for money whilst they are literally living like kings (and I donated a fair bit to Mozilla in the past).

    Management seems to have reached max corruption, and if management gave a damn about the software, they would at least halve their salaries and hire more developers or start some community bounties with the money, instead of prioritising themselves. Even 300K is more than enough to live VERY comfortably. $800K is just greedy. Because, if management gave a The company is slowly returning to Netscape days and management seems more focused on their own gains.

    I also wonder how many people with the current board of directors were those who started with the company.

  4. Re:Modal dialog boxes by Anonymous Coward · · Score: 3, Insightful

    My professor in school ~20 years ago said to avoid modal dialogs because they piss people off and in many cases aren't required, and are lazy designs. And he was right.

  5. Re:abusing a Firefox bug to trap users on maliciou by rtb61 · · Score: 4, Interesting

    What struck me was the absurd notion of the whole scam. You have stuck someone in an advertising loop, they will not be happy, seriously why would you expect them to buy anything, the inane greed of psychopaths.

    --
    Chaos - everything, everywhere, everywhen
  6. Re:abusing a Firefox bug to trap users on maliciou by Anonymous Coward · · Score: 5, Informative

    Most folks who would care probably are running Noscript which blocks iframes. If you're running any browser naked you're probably not just vulnerable to iframes but EVERYTHING ELSE too.

    iFrames can certainly be a problem, but, at the very core of this particular issue is the REAL problem that nobody wants to talk about:

    Modal dialog boxes

    This is a a cancer that needs to be eliminated ASAP (and never should have existed in the first place).

    Being able to put something on the screen that the user cannot navigate away from is beyond stupid. There are no words that can adequately describe the stupidity of this "feature".

  7. Re:Modal dialog boxes by samdu · · Score: 3

    I don't know if I'd consider myself a "Unix person (though I do really like Linux)," but the issue I have with Microsoft's modal/non-modal dialog boxes is the complete lack of consistency. And this isn't an IE/Edge problem, it's a Windows problem. Some windows you can resize and interact with other windows. Some windows you can't resize, but you can still interact with other windows. Some windows you can resize and the content of the window flows to expand. Some you can resize and the content doesn't flow at all. It's a complete mess.