Firefox bug is enabling attackers to freeze out users

A Firefox bug allowing attackers to spam infinite authentication dialog prompts is being actively exploited and despite being recently discovered, the issue has been around for at least three years.

With this Firefox bug, a malicious website will show users a warning and then bring up an "Authentication Require" dialog box. However, the user is unable to close that window or cancel the dialog box without an infinite number of new dialogs spawning, effectively locking the user out of their browser.

The bug was recently reported by Jérôme Segura, head of threat intelligence at security provider Malwarebytes, who said it could be the first step in a social engineering attack.

"Browser lockers typically do not damage the computer but instead rely on social engineering to scare victims," Segura told SearchSecurity. "Those that are targeted tend to be the elderly and mostly in the U.S. However, several other countries such as the U.K., France, Spain or Germany are also on the target lists."

The attack affects all current versions (v70) of the Firefox browser on Windows, MacOS and Linux, and Segura said on Twitter the vulnerability is being actively exploited.

Segura reported the Firefox bug to Mozilla on Nov. 4, but the issue is not a new one for the browser. Segura's report (Bugzilla #1593795) was flagged as a duplicate of a report filed by Paul Zühlcke, a developer based in Berlin, who reported the issue (Bugzilla #1571003) on Aug. 2; Zühlcke was assigned the bug two weeks ago.

Zühlcke wrote in his bug report that the authentication confirmation prompts "can be abused for spamming users and stealing focus from the main window."

"Browser is locked, you cannot close the browser tab or window. This is used by tech support scammers," Zühlcke wrote. "There does not seem to be any rate limiting, so this can also be used for [denial of service.]"

In that Bugzilla report, Liz Henry, senior release manager for Mozilla, confirmed that beta versions of Firefox v71 and 72 are both affected by this issue as well.

Segura also mentioned on Twitter that this Firefox bug appears to be a way around a previous bug fixed in July in Firefox v68 (Bugzilla #1532338). In that fix Firefox began blocking authentication dialog prompts if the user cancelled prompts twice. Bugzilla reports for similar Firefox bugs can be traced back at least three years, if not more.

Segura was unsure why this Firefox bug has been around in one form or another for so long.

"Browser lockers are typically abusing legitimate features themselves and fixing the poor user experience could be at the expense of stability or a reduced feature set," Segura told SearchSecurity. "But this one seems particularly tricky to fix, so much so that it has been in limbo for two years."

The new attacks look like they get around that fix by adding in anti-spoofing confirmation prompts in addition to the authentication dialog prompts. On Nov. 6, Zühlcke suggested a possible solution of adding a user preference to disable anti-spoofing warning prompts.

In the meantime, malicious sites are being flagged as they are being reported and users would need to force close browsers or attempt to hit the escape key fast enough to clear dialog boxes while attempting to close the affected window or tab. However, if users have the restore tabs option turned on -- which is not on by default -- the malicious site would lock the browser again if the affected tab is not closed fast enough.

Segura said other options to mitigate the risk would be "certain browser extensions that can block these kinds of attacks heuristically or by blocking entire top-level domains (TLDs) that are usually used by tech support scammers."

At the time of this post, Mozilla and Zühlcke had not responded for requests to comment.