
Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix - EpicEng
https://www.zdnet.com/article/malicious-sites-abuse-11-year-old-firefox-bug-that-mozilla-failed-to-fix/
======
danillonunes
The bigger problem is that a authentication dialog is a window modal, which
makes the entire browser inoperative. If it wasn’t for this, you could simply
close the tab with the malicious site.

This broader issue is reported on the bug #123913, which is 17 years old. The
bug is old enough to drive.

~~~
SilasX
_Not to defend Mozilla 's inability to prioritize_, but ...

Isn't that a common issue across browsers? I know on iOS, I get burned by
shady sites on Safari that do redirects and pop up a browser-level modal that
somehow stops me from closing the tab until I turn off Javascript and restart
the browser.

~~~
st3fan
That must be on an older iOS version? Pretty sure that on recent versions the
modal dialogs are actually not modal anymore and are rendered 'in content'. So
you can always close the tab.

~~~
SilasX
11.2.1. But I guess in tech, that's the wild-west stone age where you couldn't
expect a browser not to be taken over by a site ...

~~~
st3fan
Why the negativity? Software is fluid and never perfect. And specially the
fight between browsers and malicious sites won't stop at any time ... At least
they recognized the problem and acted on it.

~~~
SilasX
The fact that a modal could ever block my ability to close the tab was a hard
mistake to make.

------
codedokode
One of the sites opened fullscreen mode to hide browser UI. Note that
currently web browser developers are implementing a fullscreen mode with
keyboard lock that is much harder to leave because it blocks most of system
key combinations: [1]. The only keys that will still work are Ctrl + Alt + Del
or holding an Esc for two seconds. And as I assume you cannot leave it using
mouse or touchpad.

Another problem is that browsers are tol complicated. Building Firefox from
source requires you to have a powerful machine with multicore CPU and lot of
memory and comilation would take a lot of time. This could stop people from
contributing fixes.

[1]
[https://www.chromestatus.com/feature/5642959835889664](https://www.chromestatus.com/feature/5642959835889664)

~~~
Santosh83
> Note that currently web browser developers are implementing a fullscreen
> mode with keyboard lock that is much harder to leave because it blocks most
> of system key combinations. The only keys that will still work are Ctrl +
> Alt + Del or holding an Esc for two seconds. And as I assume you cannot
> leave it using mouse or touchpad.

What possible justification is there for this? Looks like this can become an
ideal way to 'force' unsuspecting users to interact with a malicious site...

~~~
franga2000
> What possible justification is there for this?

If I had to guess, I'd say games. Browser games just refuse to die. I thought
they'd die with Java applets, then with Flash, but they just keep coming
back...

~~~
crysin
Why the language of refuse? Are you inferring there is inherently something
bad about games on the web?

~~~
franga2000
No, that's just my opinion.

One of the main reasons wouldn't like to see browser games come back is that
they are usually basically 100% tied to a server. They're not like standard
games, where even if the servers go down, you still have the files and can
either keep playing offline or even hack together a server implementation.
Once the server goes down, that game is gone[1].

Not to mention, that if an industry were to arise around web-based games, most
would probably either be the "free but pay-to-win and with ads" kind, or on
Netflix-style subscription platforms where you don't actually own anything and
you're just paying for the access.

[1] - not saying it's impossible to preserve it, just that it's not preserved
by default, like a locally-installed game is

~~~
vorpalhex
This is no longer true for even locally installed games. If Ubisoft's uPlay
disappears tomorrow, your locally installed games are just useless bits.

Many very nice web based games exist, and many can be saved to disk and
launched from a local html file just fine. Many games target the web browser
because it's easily cross platform, requires no install, and is easy to
convince new players to give it a try.

------
gregknicholson
> this issue has gone unfixed, for unknown reasons

The reason is just that no-one has thought it important enough to fix, and/or
no-one has been able to get sufficient agreement on what the correct fix is.
Let's not pretend there's a mystery.

~~~
throwaway12iii
And yet issues that affect advertising revenue on Youtube get fixed same day.

~~~
PedroBatista
Something like 80-90% of their revenue comes from Google. Their higher-ups can
spin it all day, but they know damn well their jobs depend on a good
relationship with Google.

~~~
gsnedders
Or even indirectly, the YouTube team might choose to instead send them an
IE6-era experience of YouTube instead of the current one to avoid the bug,
which might push users away from Firefox.

------
danShumway
Pure curiosity, what's the advantage of this? What am I missing?

The user can't leave the malicious domain, but they also can't interact with
the page, because the dialog is in the way. And even if they could, are they
really more likely to trust the site after it's made a bunch of random popups
appear in a row?

Is it just malice? What does the malicious site gain?

~~~
Wowfunhappy
I assume the idea is that on the page visible behind the dialog are
instructions to call some number, or open the download, or approve the
extension the site wants to install.

~~~
zeta0134
Having spent a couple of years working for tech support for a large retail
chain, I can confirm that this happens much more often than you might think.
Non-technical users are _floored_ the browser locking up, especially if the
site starts to do something alarming like play an audio file telling them
their computer is infected. If they were lucky and brought it to me in that
state, I'd teach them about their task manager and how to close the browser,
and warn them about visiting suspicious sites. But if they actually _called_
the number, and in some cases, allowed the scammers to remote into the
machine... all bets were off. There was no telling what we would find.

~~~
walrus01
Some pretty good examples of different scammer scripts, of a wide variety,
from a guy who has made a hobby out of trolling them:

[https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw/vid...](https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw/videos)

~~~
chris_wot
You should see The Hoax Hotel. Much more amusing!

------
rubatuga
I thought this was a solved problem in most web browsers. Just show a nonmodal
dialog for popups like in safari and chrome.

~~~
jasode
_> Just show a nonmodal dialog for popups like [...] chrome._

But in some cases, Chrome has _modal_ dialog popups that Firefox does not. I
made a previous comment about this and you can test that behavior on a safe
site like regex101.com:

[https://news.ycombinator.com/item?id=17046268](https://news.ycombinator.com/item?id=17046268)

------
Uhrheber
Why does nobody target the root cause?

The possibility to show popups and popovers in browsers should be removed
completely. There are little to no legit uses for them. Even reputable
websites use them only to nag and annoy their users.

And don't get me started about Javascript. This is a plague, that causes more
problems than it solves.

~~~
oliwarner
This is an absurd overreaction.

Popovers are CSS. Just a positioned element. And both up-and-overs are
"legitimately" used as modals in apps.

~~~
black_puppydog
And even in those cases 99% of the time they're a PITA. Modals are as bad in
web UI as they are in desktop UI.

~~~
oliwarner
But this isn't a discussion about whether or not modals are good idea. The OP
was arguing —without any idea what the mechanics are, I'm sure, because that's
how we decide how technology works these days— that CSS should not be allowed
to layer and position one thing over another.

Modals have a place, but like everything, they get abused by people with no
idea about how things _should_ work. But that isn't a good standalone argument
for going back to pre-1997 CSS.

------
giancarlostoro
This has been something that irritates me. If I want to copy a password for a
site in another tab. Oh look I can't. This isn't just a stupid bug, it's
terrible UX. I have to open either another Firefox window, or another browser
entirely (better safe than sorry!) in order to find that password for a site
that didn't intend to hijack focus for the login screen.

------
cronix
Or how about sites like the one where this article actually appeared (zdnet)
making it very difficult (some are impossible) to use the back button? I
clicked the article on HN, read it on zdn, and had to hit "back" about 10
times to get back to HN, which was the "previous page visited."

------
SilasX
Ironically enough, when I go to that site, I immediately (feel like I) lose
control of the browser because it pops up the "do you want to allow
notifications on this site" which stops me from scrolling down on the
keyboard.

~~~
e40
With uBlock Origin and uMatrix it looks extremely clean to me.

~~~
SilasX
I wasn't complaining about the bloat (already have uBlock), I think I just
need to turn off requests for notifications. (Or even better, have
intermediate option where I can be aware that it wants to send me
notifications, but where it doesn't take the focus off and interfere with my
plugins like Vimium.)

------
pmoriarty
Yet another reason to use an extension like uMatrix to disallow javascript by
default, and only allow the absolute minimum that sites you trust need to
function.

~~~
ryanmccullagh
Not allowing JavaScript turns into a chore when you find out that websites
break in non obvious ways. I do not want to manually enable/disable JavaScript
when the browser is a means to an end for me.

~~~
ori_b
Yet another reason to do it -- so that bug reports about websites not working
without Javascript are taken seriously, and fixed.

~~~
SquareWheel
Or they'll continue to be ignored, because they're not bugs with the website.

~~~
ori_b
It's a bug with the website as long as users start looking for alternatives.
That's why there needs to be a lot of advocacy.

------
gambler
Why are modal popups still a thing at all? Yes, I know all the excuses. They
are not good enough.

Also, websites should not be able to block browser UI unless I explicitly
allow them to. In any way.

------
octosphere

        for(a=0;a<9001;a++){
        prompt('','');
        }

~~~
ArrayList
I almost forgot prompt() was ever a thing!

------
pcunite
I have really been enjoying FireFox 62+ ... so fast. To hear about a long-
standing bug is disappointing.

~~~
dao-
Pretty much any complex piece of software has known and unknown long-standing
bugs.

------
microcolonel
I say it every time that people say "Firefox is great now!". Just look at the
Bugzilla, and tell me that among the thousands of reports (many of which have
gone untriaged for around a decade!) there aren't at least a handful of
serious issues like this.

One, among many, of the reasons I use Chromium is that I see reports taken
absolutely seriously, especially any report with any potential security
outcome. Even seemingly minor issues or feature requests I've filed with
Chromium get thoughtful and prompt responses.

I wish Mozilla the best, but the quality of Firefox is low in a way that I
notice every time I use it; I'd appreciate it if they go back to basics and
actually try to address at least the _known_ issues with the software.

~~~
zapzupnz
I'd like Firefox to stop focusing on revamping the user interface every five
minutes, that's all. Might be a start.

~~~
nikbackm
When was the last time they revamped the UI? Honestly cannot remember.

~~~
jgh
they changed it this year didn't they? Weren't people making jokes that now
firefox is square and chrome is round?

~~~
nikbackm
Right, had forgotten about that. Was thinking about more substantive changes
like Australis though, the look of tab corners seem pretty trivial.

