Slashdot Mirror
12 Years After It Was Notified, Firefox To Add Full Protection Against 'Login Prompt' Spam (zdnet.com)
Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites -- usually tech support scam sites -- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers. From a report: The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July. According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.
Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.
Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.
I never see any of these pop-ups and I'm running FF 50 (I think) at home. Never had any problems.
I guess I'm not one checking out Bob's House of Free Software every day.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Only twelve years of torture, and voila! It's fixed!
fuck google
Let's go over this again.
Repeat it after me: Do not run random unknown and untrusted scripts by default.
Time after time after time we see the same story. Vulnerability after vulnerability is exploited, malicious behavior after malicious behavior, blocking cut and paste, blocking back buttons, delivering malware, demonstrated attacks against Spectre and Meltdown, scraping data you didn't want scraped, annoy-ware, auto-playing audios, auto-playing videos, it's literally a weekly event that we see some new form of shitware delivered by Javascript from some weird domain as one of the hundred or more used by some site.
JUST SAY NO.
Running scripts given to you by sources who do not have your interests in mind is idiotic. It was not a good idea when it started, and it is not a good idea now.
How much shitware do we need, before we learn that giving such a massive attack surface to any of a hundred random domains used by some site you connect to is not a good idea? How much malware packaged up with ads? Why would you allow some random ad from some unknown source to run code on your system?
Turn that shit off. It's time.
But Anonymous Coward! The web is broken like that!!one! Partially, but only because all of you idiots with JS enabled by default taught those sites that you would happily do anything they wanted you to do. If they said "jump" you asked "how high sir?"
But Anonymous Coward! I need to use JS to give you my crapware! I don't care. It's my computer, and I will decide what it does. Not you.
You have all been teaching "web developers" [sic] that you will bend over for anything they want to do with your computer. It's time to start teaching them the opposite lesson. Turn it off. Maybe enable it for your bank. Take control of your own environment.
I'm getting real sorely tempted to save this message and paste it in every time we hear of Yet Another Malicious Use Of Web Delivered Scripts.
AC out.
I have javascript on, but I still agree with you. I've used NoScript before, and it is crazy how much faster sites load
Dang, no edit. Forgot to mention you save that message and paste it every time. It is the truth. We don't need a 10 libraries downloaded for special effects. I'm not against smooth scrolling but who cares about transitions. They don't add much value.
Although it seems really laggy compared to chrome on Android. Not sure if Google is up to some shenanigans or if firefox is inferior in Android. I'll run anything to avoid a Google product
Remote code cannot execute directly on your system - it needs an assist from your browser (usually via Javascript). As a result, there are a host of bad things that happen but which would never happen without the help of the browser.
The pop-up window is a biggie, particularly when the browser not only accomodates the web page in creating such a window, but if such a moronic thing is ever allowed, the browser should decorate the window in a manner that explicitly marks it as NOT popped-up by anything other than the web page content!.
Why is this an issue?
Because malicious web pages can pop-up a window on your desktop that is decorated to look like any other window on your desktop, and then the contents can be made to look like any local app or desktop notofication ----- which can then fool a user into typing in his or her ROOT PASSWORD, or user password, or e-mail account password, or bank account password, etc.
ANY WINDOW OR DIALOG SPAWNED BY WEB CONTENT SHOULD BE EXPLICITLY MARKED AS NON-LOCAL IN ORIGIN AND DANGEROUS.
In any sane and honest computing environment, no window or dialog box not originating locally should be decorated to look like one originated locally.
Of course, many of these problems would not exist if Mozilla would simply revert to their old and trusty behavior of having (and honoring) preference options for blocking pop-ups and suppressing Javascript. One can dream....
Mozilla will admit that removing XUL was a mistake. Until then, there are the usual forks to use.
Try umatrix it will give you control of what sites can load Scripts/images/frames/...
Get full control about your browser.
This will be nice to get at work. There, Microsoft's Outlook Web Access constantly has bad authentication requests, but only on Firefox. Fortunately, I can tell which are the bad ones, because they say something like "the site says "mail.COMPANYNAME.com"". Entering a username/password never works, it just asks again, but cancelling makes the popup go away, for a time.
I'm not sure if it's a bug in OWA, or a misconfiguration made by the IT group. But they're very annoying and it's good to hear they might be suppressed in the future.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
.. How come when I read the title, I instantly thought of the old AOL instant message phishing scams that went along the lines of "There was a problem with our servers, and I need you to give me your screen name, password, (and sometimes) credit card # so you can continue to log in."?
I've seen misconfigured web pages pop up multiple "authentication required" prompts because resources such as images were accidently password protected. The # of times the prompt came up corrosponded with the # of broken images on the page.
It's very rare, but it happens.