
Fraudulent tech-support sites cause Firefox to freeze, displaying scary message - Symmetry
https://arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/
======
blocke
The bugzilla tickets linked from that article frustrates me. They should
autoplay Yakety Sax music as they dodge around fixing the real @#$@ing bug:

Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth
and Javascript alert() to the individual browser tab. No individual tab should
every be allowed to pop a modal that prevents interaction with any other tab,
any other browser window.

This problem immediately goes away and you don't need to play rate limit
wackamole games or do stupid things like have a dialog box that asks if you
want to see another modal dialog box.

As someone who interacts with HTTP basic auth frequently Firefox's behavior
here is maddening. Fix the bad UI.

Edit: Oh, and here is a 13 year old bug about the real issue:
[https://bugzilla.mozilla.org/show_bug.cgi?id=377496](https://bugzilla.mozilla.org/show_bug.cgi?id=377496)

~~~
pjc50
Wow, yes, having looked at it it's really that simple. All the exploit is
doing is triggering a 403 authentication popup. There's even a comment on that
bug with the exact scam in it - from two years ago!

In-browser treatment of HTTP auth is just shockingly bad. But Firefox seems to
be somewhere you get rewarded for introducing new features rather than fixing
bugs.

~~~
Wowfunhappy
> In-browser treatment of HTTP auth is just shockingly bad.

My biggest annoyance is that since the login modal blocks the rest of the UI,
I can't use my password manager!

(At least, I can't use Bitwarden, but I can't imagine how any other browser-
plugin-based password manager would get around this.)

~~~
s_kilk
Funnily enough, in old versions of Firefox (before they deprecated the old
plugin system), password managers like Lastpass were able to alter the http-
auth pop-up so as to add their functionality to it.

At the time I thought that was cool, and was sad when it went away with the
new plugin architecture, but looking back it does indicate quite how bad the
situation was with that old plugin format.

------
jlv2
LOL. I created a similar page lock up back in 1996 using the first Netscape
with JavaScript. Back then no one took that seriously.

"JavaScript exploits continue to plague all browsers" was something I wrote in
2002. Will it ever get better?

~~~
coribuci
> LOL. I created a similar page lock up back in 1996 using the first Netscape
> with JavaScript. Back then no one took that seriously.

> "JavaScript exploits continue to plague all browsers" was something I wrote
> in 2002. Will it ever get better?

No. 10 years ago was common knowledge that you should avoid flash and
javascript pages. Now flash is being slowly killed and javascript is the
"saint" (if you say something bad about it you get excommunicated)

------
jakub_g
I stumbled upon this very thing last month. It was indeed extremely difficult
to get rid of it, in particular since I had a ton of tabs open and didn't want
to kill the whole browser. Since the modal blocks the UI and blocks the
JavaScript event loop, it blocks also all usual keyboard shortcuts inside the
browser like CTRL+W for closing the tab.

Luckily the affected tab was in a separate window, and here comes the tip if
you're on Windows:

You can click `Alt+Space` to have an _OS-provided menu_ , in which there's an
option to close the window.

~~~
mellowdream
This happened to me as well, wish I had figured this out then. I unfortunately
had "Restore tabs" set on - ended up just reinstalling the executable (and
losing a hundred tabs...).

------
newscracker
_> The only way to close the window is to force-close the entire browser using
either the Windows task manager or the Force Close function in macOS._

I primarily use Firefox, but am deeply disappointed in how such issues are
handled (or rather, not handled). How many users on the planet would even know
what a "Task Manager" is on Windows or how to "Force Close" an application on
macOS? If/when the users learn from their more technically knowledgeable
friends/family that this is a Firefox issue, most of them would just decide to
switch to that popular browser that's been advertised on the most popular
search engine and many other sites by the same company. That doesn't help
Firefox much or people (like me) who evangelize Firefox to others.

~~~
lonelappde
No one's defending the bug. It's hard to fix.

------
oceliker
> To resolve the problem, users must force-close Firefox and then, immediately
> upon restarting it, quickly close the tab of the scammer site before it has
> time to load.

Wouldn't it be easier to disconnect from the internet before reopening
Firefox?

~~~
saithir
And have a device _gasp_ without internet? _faints_

Seriously though I think it's a testament of how common the internet
connection has become. Someone probably didn't even thought of it.

------
dependenttypes
Really weird how the governments and tech companies always go after victimless
crimes but in the instance of fraudulent tech support where there are real
(mostly naive and tech-illiterate) victims they do nothing.

~~~
notelonmusk
Devil's advocate. Maybe it doesn't seem like a big problem to those you
mention since most of people scammed don't report it? But the prevalence
should speak for itself, and this cancer feeds itself.

Who takes care of a crime if the perpetrator is in a different country or
online?

~~~
dependenttypes
> Who takes care of a crime if the perpetrator is in a different country or
> online?

They seem to have solved this issue in cases of copyright infringement of big
companies (such as WB/Disney) and child pornography.

------
ISL
Nothing like having a phone number the FBI can call...

~~~
ovi256
It's surely a VoIP number rerouting to outside the US, that's just basic opsec
for scams.

~~~
dickeytk
I wonder who owns the 888 number though. I assume there must be some kind of
registration for toll free numbers

~~~
ovi256
Oh, an enterprising prosecutor could subpoena his way to the foreign buyer of
the number, but it's sooo much work for such a little scam. The prosecutors,
like everyone else, have to optimize their return on effort.

------
Animats
From the article: _" The most important thing to do is to remain calm and not
make any sudden response."_

------
vwuon
Seems like these scripts are triggered by malvertising -- if your ad blocker
is properly configured this should never happen.

~~~
chefandy
People with enough internet smarts to have an ad blocker aren't the target
demographic for the ol' "your computer are hackered u are ded without u give
us muney" JS dialog.

~~~
vwuon
I was under the impression that Firefox already shipped with an ad blocker by
default?

~~~
chefandy
The default ad-blocking functionality won't block an attack like this. You'd
need a more robust blocker like NoScript.

~~~
chefandy
(which is great if you're looking for one, BTW!)

------
ga-vu
wow... one single website used it... now thanks to some dumb journalist, a lot
more are going to use it too

aren't reporters supposed to wait for a patch?

~~~
Tepix
Two years should be enough time to fix this.

Full disclosure will get this fixed rather quickly now.

~~~
ga-vu
This was fixed in June. The new bypass was found a day before the article was
published. The journalist literally gave Mozilla one day to fix.

------
johnklos
Too bad Amazon will host this forever. You can complain, they'll remove that
ONE URL, but will happily ignore the same people hosting the same sites and
URLs all over their janky networks. And Cloudflare would "protect the First
Amendment rights" of people who host shit like this.

~~~
badrabbit
They both comply with law enforcement take down requests. Stop trying to make
for-profit companies arbiters of what is right and wrong. To them less risk
and more profit is right. In both cases they don't want to be responsible for
what people deliver using their network,much like ISPs

~~~
johnklos
Are you kidding me? I'm supposed to report stuff like this to the police, who
then are supposed to send a take-down notice, every time a user of mine is
affected by something like this?

No. I'm sorry, but the application of the tiniest bit of common sense can do
wonders. I send a URL to Cloudflare or Amazon. They see that this is, in fact,
the same scam as they've seen hundreds or thousands of times before. Instead
of "protecting" the free speech of the uploader, they instead recognize that
this isn't free speech - it's an attempt to scam and defraud. Fraud is not
protected free speech. They take it down without delay, they block the
uploader, and everyone benefits.

Same with phishing sites - it doesn't take a genius to look at a "Bank of
America" site and see that it's not, in fact, the real BoA, just like it
doesn't take a genius to know that a "Flash Update" site isn't.

They make money. Therefore, they have the resources to do this. Don't make it
out like they're just poor companies that are stuck between a rock and a hard
place, because that's just plainly disingenuous.

~~~
inetknght
> _Are you kidding me? I 'm supposed to report stuff like this to the police,
> who then are supposed to send a take-down notice, every time a user of mine
> is affected by something like this?_

Yes, reporting malicious activity to police is the right thing to do.

> _Same with phishing sites - it doesn 't take a genius to look at a "Bank of
> America" site and see that it's not, in fact, the real BoA, just like it
> doesn't take a genius to know that a "Flash Update" site isn't._

What you think to be a non-genius is nonetheless genius to someone who doesn't
understand how web sites work and what to look for.

~~~
badrabbit
To the last point, I review phishing content regularly and I can say even a
genius would fall for a good phishing attack.

