The bugzilla tickets linked from that article frustrates me. They should autoplay Yakety Sax music as they dodge around fixing the real @#$@ing bug:
Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
This problem immediately goes away and you don't need to play rate limit wackamole games or do stupid things like have a dialog box that asks if you want to see another modal dialog box.
As someone who interacts with HTTP basic auth frequently Firefox's behavior here is maddening. Fix the bad UI.
> Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
So, `alert()` was fixed about 10 years ago in Firefox.
I'm not sure why the "Authentication Required" dialog wasn't, but I'm willing to bet it's something that was blocked indirectly by the old extension infrastructure (the so-called XUL extensions): until Firefox ~57, huge chunks of the architecture of Firefox were impossible to touch without breaking XUL extensions at a fundamental level, and this included making many things non-blocking.
If I'm right, it's the kind of thing that can now be fixed.
The answer is probably something like "that dialog came from necko, because we didn't put in a good way to propagate blocking prompts back up from the network layer in a way that identifies which tab wants the request".
If extensions were the problem an interface to actually let the extensions work would have been created. As it is you still can't implement a password manager natively.
Wow, yes, having looked at it it's really that simple. All the exploit is doing is triggering a 403 authentication popup. There's even a comment on that bug with the exact scam in it - from two years ago!
In-browser treatment of HTTP auth is just shockingly bad. But Firefox seems to be somewhere you get rewarded for introducing new features rather than fixing bugs.
Funnily enough, in old versions of Firefox (before they deprecated the old plugin system), password managers like Lastpass were able to alter the http-auth pop-up so as to add their functionality to it.
At the time I thought that was cool, and was sad when it went away with the new plugin architecture, but looking back it does indicate quite how bad the situation was with that old plugin format.
This behavior causes another problem as well. I am unable to interact with my password manager plugin when a basic auth dialog is active. I need to remember to manually look up the password and have it in the clipboard before navigating to a site that uses basic auth or else open an additional Firefox window.
Honestly, I'm not sure why browsers don't create a pseudo page setup for things like HTTP auth, JavaScript prompts, etc. Instead of an ugly blocking modal, generate a basic login form/page with nicer styling that doesn't take over the entire window or tab. Like they do for a new tab or what not.
> LOL. I created a similar page lock up back in 1996 using the first Netscape with JavaScript. Back then no one took that seriously.
> "JavaScript exploits continue to plague all browsers" was something I wrote in 2002. Will it ever get better?
No. 10 years ago was common knowledge that you should avoid flash and javascript pages. Now flash is being slowly killed and javascript is the "saint" (if you say something bad about it you get excommunicated)
I stumbled upon this very thing last month. It was indeed extremely difficult to get rid of it, in particular since I had a ton of tabs open and didn't want to kill the whole browser. Since the modal blocks the UI and blocks the JavaScript event loop, it blocks also all usual keyboard shortcuts inside the browser like CTRL+W for closing the tab.
Luckily the affected tab was in a separate window, and here comes the tip if you're on Windows:
You can click `Alt+Space` to have an OS-provided menu, in which there's an option to close the window.
This happened to me as well, wish I had figured this out then. I unfortunately had "Restore tabs" set on - ended up just reinstalling the executable (and losing a hundred tabs...).
> The only way to close the window is to force-close the entire browser using either the Windows task manager or the Force Close function in macOS.
I primarily use Firefox, but am deeply disappointed in how such issues are handled (or rather, not handled). How many users on the planet would even know what a "Task Manager" is on Windows or how to "Force Close" an application on macOS? If/when the users learn from their more technically knowledgeable friends/family that this is a Firefox issue, most of them would just decide to switch to that popular browser that's been advertised on the most popular search engine and many other sites by the same company. That doesn't help Firefox much or people (like me) who evangelize Firefox to others.
> To resolve the problem, users must force-close Firefox and then, immediately upon restarting it, quickly close the tab of the scammer site before it has time to load.
Wouldn't it be easier to disconnect from the internet before reopening Firefox?
Really weird how the governments and tech companies always go after victimless crimes but in the instance of fraudulent tech support where there are real (mostly naive and tech-illiterate) victims they do nothing.
Devil's advocate. Maybe it doesn't seem like a big problem to those you mention since most of people scammed don't report it? But the prevalence should speak for itself, and this cancer feeds itself.
Who takes care of a crime if the perpetrator is in a different country or online?
Oh, an enterprising prosecutor could subpoena his way to the foreign buyer of the number, but it's sooo much work for such a little scam. The prosecutors, like everyone else, have to optimize their return on effort.
People with enough internet smarts to have an ad blocker aren't the target demographic for the ol' "your computer are hackered u are ded without u give us muney" JS dialog.
Too bad Amazon will host this forever. You can complain, they'll remove that ONE URL, but will happily ignore the same people hosting the same sites and URLs all over their janky networks. And Cloudflare would "protect the First Amendment rights" of people who host shit like this.
They both comply with law enforcement take down requests. Stop trying to make for-profit companies arbiters of what is right and wrong. To them less risk and more profit is right. In both cases they don't want to be responsible for what people deliver using their network,much like ISPs
Are you kidding me? I'm supposed to report stuff like this to the police, who then are supposed to send a take-down notice, every time a user of mine is affected by something like this?
No. I'm sorry, but the application of the tiniest bit of common sense can do wonders. I send a URL to Cloudflare or Amazon. They see that this is, in fact, the same scam as they've seen hundreds or thousands of times before. Instead of "protecting" the free speech of the uploader, they instead recognize that this isn't free speech - it's an attempt to scam and defraud. Fraud is not protected free speech. They take it down without delay, they block the uploader, and everyone benefits.
Same with phishing sites - it doesn't take a genius to look at a "Bank of America" site and see that it's not, in fact, the real BoA, just like it doesn't take a genius to know that a "Flash Update" site isn't.
They make money. Therefore, they have the resources to do this. Don't make it out like they're just poor companies that are stuck between a rock and a hard place, because that's just plainly disingenuous.
The problem is if they take on that responsibility then if someone loses money to a phish are they liable for not taking it down fast enough?
No, I am not kidding you. You pay tax for your law enforcement to do this. They can easily automate legit legal take down requests. Why can't your cops enforce your laws? Why do random companies have to come up with inconsistent rules,process and response? It's nice to have someone to blame but if hollywood can go after DMCA law enforcement can also go after cybercrime -- it's their job!
Oh, and I did not make them out to be poor companies. My concern is that I don't want these companies anywhere near being responsible for take downs of user generated content what is harmful needs to be defined by lawmakers and enforced by law enforcement not by facebook and cloudflare. You're asking a store owner to inspect patrons for criminal behavior and kick them out when you should be calling 911 to get them arrested. The business owner can and should kick them out but the responsibility of enforcig that law is with cops.
> Are you kidding me? I'm supposed to report stuff like this to the police, who then are supposed to send a take-down notice, every time a user of mine is affected by something like this?
Yes, reporting malicious activity to police is the right thing to do.
> Same with phishing sites - it doesn't take a genius to look at a "Bank of America" site and see that it's not, in fact, the real BoA, just like it doesn't take a genius to know that a "Flash Update" site isn't.
What you think to be a non-genius is nonetheless genius to someone who doesn't understand how web sites work and what to look for.
> They both comply with law enforcement take down requests. Stop trying to make for-profit companies arbiters of what is right and wrong. To them less risk and more profit is right. In both cases they don't want to be responsible for what people deliver using their network,much like ISPs
So you're saying they should outsource all scam and spam mitigation work to the police, and just let it run (and cause damage) until some police agency tells them to shut it down?
Pretty much,they can do a best-effort mitigation but I expect LEO to be effective enough to work with any tech company to police unlawful content. I want the right people responsible and capable of enforcement.
They comply with law enforcement requests and some unknown form of their own judgement. If they can take down stormfront, why can't they take down the scammers?
Because they're not law enforcement. Stromfront isn't illegal. Things work nicely when you expect things from the right people. Scammers are high volume and takes a lot of valuable resources and risk of accidental disruption of legit sites. Law enforcement can and should foot the bill and take responsibility for take downs.
Fixing a bug once and for all in the browser is a lot more viable than playing whack-a-mole with billions of websites. And that's not even taking into account how dangerous an entity capable of blocking billions of websites is.
Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
This problem immediately goes away and you don't need to play rate limit wackamole games or do stupid things like have a dialog box that asks if you want to see another modal dialog box.
As someone who interacts with HTTP basic auth frequently Firefox's behavior here is maddening. Fix the bad UI.
Edit: Oh, and here is a 13 year old bug about the real issue: https://bugzilla.mozilla.org/show_bug.cgi?id=377496