Hackers abused 11-year-old unpatched Firefox bug to trick users to visit malicious sites

[The AchieVer]

• Cybercriminals were spotted abusing an 11-year-old Firefox bug, which Mozilla failed to fix since April 2007, to trap users on malicious sites.
• The firefox bug redirects victims to a malicious site with an iframe embedded inside the source code, which results in authentication requests made in a loop on the malicious sites. 

Over the past few years, cybercriminals have been tricking users to visit malicious websites, but these criminals aren't using some new never-before-seen trick. Instead, they leveraged an unpatched Firefox bug to lure users to the malicious sites, with tech support scams, ad farms, fake gift vouchers, and malware-laced software updates.

If a victim tried to leave the page, the hackers operating the malicious sites triggered an authentication request in a loop. Every time the victim rejected the request, another request is made and a new modal appears. This continues until the victim is forced to close his/her browser altogether or start a new browsing session. This is the result of the firefox bug redirecting to a malicious site with an iframe embedded inside the source code.

The latest report against the bug

The latest report about the bug came from a victim, who reportedthe issue on Saturday, December 8, 2018. The user reported that upon landing on one of these malicious sites, he was forced to install a suspicious Firefox extension. 

• A pop-up ad window opened in a full-screen mode was presented to the victim, who also discovered that when he tried to press ‘ESC’ to exit the full screen or close the window, it failed to work.
• When the user tried to close the login dialog box or click the ‘Cancel’ button, the dialog kept appearing again and again until the user killed the firefox process.
• The ‘Don’t allow’ button of extension installation also seemed non-clickable, the user added. 

The bug remains unfixed for unknown reasons, despite being reported several times, leaving cybercriminals free to abuse it.

 

Source

[Jogs]

Mozilla 😡😡

[steven36]

Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix

 

Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites.

 

This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007.

 

The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain. This results in the iframe showing an authentication modal on the malicious site, like the one below.

 

 

For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates.

 

Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop. Every time the user dismisses it, another request is made, and a new modal appears, effectively keeping the user captive on the malicious sites until they close the browser altogether, and are forced to start a new browsing session.

 

But despite being reported over and over again for seven other times [1, 2, 3, 4, 5, 6, 7], this issue has gone unfixed, for unknown reasons, and crooks have gladly abused it all this time.

 

The latest example of abuse comes from a user who reported the issue once again today, after landing on one of these shady sites that tried to force him into installing a suspicious Firefox extension.

 

 

"At first, it is opened full screen mode. With some fake Windows dialog (I am using Linux so I know it is fake)," the user said. "It tried to [force] me install their extensions."

 

"Then I press ESC to exit full screen. I click the close button of tab or window, but it doesn't work because it has this login dialog. I click close button of the login dialog or cancel button. Then the dialog will appear again. I click the 'Don't allow' button of extension installation pop over, but it seems not clickable. I killed the Firefox process, which is the only solution for me."

 

 

Sure, Mozilla is an open source project, and it doesn't have unlimited resources to handle all the reported issues, but you'd think that after more than 11 years a Firefox engineer would find the time to fix an actively exploited issue.

 

Based on the feedback left by other users on the reported issue, the Firefox team's best bet is to follow how Edge and Chrome have dealt with this same issue.

 

Edge: The delay between authentication modals in Edge is large enough to allow the user to close the tab or the browser.

 

Chrome: The authentication dialog window has been moved from the browser window level to each tab's level. This means the aggressive authentication dialogs only blocks the tab, and not the entire browsers, allowing the user to easily close the abusive tab.

 

Source