Twelve years later: Firefox to add full protection against 'login prompt' spam

Firefox to limit the number of "Authentication Required" popups to two per page.

Firefox authentication required popups

Image: jakebe2

Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites --usually tech support scam sites-- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers.

The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July.

According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.

Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes.

This latest patch completes the fix by blocking all types of authentication required prompts --including those generated by the site's main domain. The patch came after users complained about this feature being abused many times over the past years [1, 2, 3, 4, 5, 6, 7].

Firefox users targeted many times with login prompt spam

Authentication prompt spam, also called login prompt spam, has been a problem for internet users for the last two decades.

Tech support scam sites have used this trick to trigger infinite loops of "Authentication Required" prompts that block users on sites and prevents them from closing tabs or the browser.

The issue has been a problem for Chrome users, but even more so for Firefox, with numerous reports being recorded of tech support scam campaigns using this trick to target Firefox users over the past few years [1, 2, 3, 4, 5, 6], and as recent as last December.

Browser makers are in a constant fight to fix bugs and loopholes exploited by tech support scammer groups. Mozilla's upcoming Firefox fix helps, but it won't stop tech support scammers, who will just find another trick to exploit.

For example, in the past, scammers used tricks like triggering thousands of downloads to freeze users' browsers, they'd create JavaScript infinite loops to keep the CPU at 100 percent and block the browser, or they'd use custom cursors to offset the mouse click area and prevent users from closing tabs.

More browser coverage: