Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites --usually tech support scam sites-- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers.
Security
The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July.
According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.
Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes.
This latest patch completes the fix by blocking all types of authentication required prompts --including those generated by the site's main domain. The patch came after users complained about this feature being abused many times over the past years [1, 2, 3, 4, 5, 6, 7].
Firefox users targeted many times with login prompt spam
Authentication prompt spam, also called login prompt spam, has been a problem for internet users for the last two decades.
Tech support scam sites have used this trick to trigger infinite loops of "Authentication Required" prompts that block users on sites and prevents them from closing tabs or the browser.
The issue has been a problem for Chrome users, but even more so for Firefox, with numerous reports being recorded of tech support scam campaigns using this trick to target Firefox users over the past few years [1, 2, 3, 4, 5, 6], and as recent as last December.
Browser makers are in a constant fight to fix bugs and loopholes exploited by tech support scammer groups. Mozilla's upcoming Firefox fix helps, but it won't stop tech support scammers, who will just find another trick to exploit.
For example, in the past, scammers used tricks like triggering thousands of downloads to freeze users' browsers, they'd create JavaScript infinite loops to keep the CPU at 100 percent and block the browser, or they'd use custom cursors to offset the mouse click area and prevent users from closing tabs.
Say hello to the early days of web browsers
More browser coverage:
- Will Windows 10 users flock to Chromium Edge for exclusive 4K Netflix streaming?
- Researcher publishes Google Chrome exploit on GitHub
- First image surfaces of Google Chrome's upcoming Tab Groups feature
- Former Mozilla CTO detained at US border and denied a lawyer
- Firefox to run experiment to reduce push notification permission spam
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Google's most secure login system now works on Firefox and Edge, too CNET