New(?) Bypass: Infinite Prompt/Alert/Confirm Dialogue Boxes in Google Chrome

Hello Everyone,

I think I created a new bypass (if that is the right word) for Google Chrome that allows a devious person to create an infinite number of prompt/alert/confirm modal dialogue boxes using javascript. I have tested this on Google Chrome 5 and it basically hobbles the browser and prevents you from doing anything. Even checking the “Prevent this page from creating additional dialogs” does not work because I bypassed that with a simulated mouse click on the page, which I think is novel part.

A malicious person could use this to keep you on a page and keep loading ads/exploits or they could try some social engineering and keep pestering a user for login names and passwords to their e-mail/social sites/banking/etc…

I have created a demonstration page on my website at http://optimalcycling.com/BrowserSecurityTests/InfinitePromptBoxesOnLoad.html Note that you must have javascript enabled for the demo to work.

A screenshot of this demo is below:
http://img5.imageshack.us/img5/2724/infinitepromptsonload.jpg

I've also wrote up a page about this on my website:
http://optimalcycling.com/other-projects/browser-security-tests/

I have also tested this on Internet Explorer 8 and Firefox 3.6 with javascript enabled. They both show an infinite number of prompt boxes. Safari likely will as well. Opera 10.6 also shows an infinite number of prompt boxes but it’s prompt boxes are non-modal so it is less serious. However, older versions of Opera do not have non-modal dialogue boxes.

What do you guys think? Is this just an annoying problem or could someone really do something evil with it? By the way, I run with javascript off by default and whitelist as needed. I also wrote my own Google Chrome extension to block this and other types of pop up exploits so I'm pretty safe. But for the average person, this could be a problem.

 

Firefox 3.6

With the exploit page open hold the esc key and hit cancel then middle click another link in the tab bar then left click the x in the tab of the exploit page to shut it down.

Depress the esc key and hit cancel on the exploit dialogue.

Some fake scan sites use a very similar tactic.

 

I will file a bug report on the Chromium site instead.

 

I would have simply killed Firefox in the Task Manager. I think the best solution is in Opera 10.6 where the prompt/alert/confirm boxes are not modal at all and thus don't block you from closing the tab.

 

I usually terminate FF's process through Sandboxie if need be as that's one of the safest ways to surf but used the scenario where I didn't want to lose my other open tabs.

 

I have opened up a Chromium bug report here: http://code.google.com/p/chromium/issues/detail?id=50377

 

Franklin, Session Manager is a great add-on for that purpose.

 

Ok, here's a curve ball for you guys: I can essentially DOS a computer by try to make the browser open a large number of windows by simply looping in javascript

for(var i=0; i<9999999; i++)
window.open ("http://www.google.com","_blank","status=1,toolbar=1");

I've tried this on Google Chrome, but just limiting it to opening 50 windows at the same time. Why don't web browsers stop such a simply attack?

 

Most webservers are on gigabit connections. Now assuming you we're actually requesting a fresh copy of that page every time instead of using a cached version which is what the browser does, it would still be no where near enough bandwidth to DOS the remote server.

Also, I wouldn't be surprised if that loop locked your PC for a few seconds/minutes.

 

I'm not talking about DOS the server, I talking about DOS the PC because with that simply loop, you would be required to restart your browser.