New(?) Bypass: Infinite Prompt/Alert/Confirm Dialogue Boxes in Google Chrome

Discussion in 'other security issues & news' started by Doritoes, Jul 27, 2010.

Thread Status:
Not open for further replies.
  1. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
    Hello Everyone,

    I think I created a new bypass (if that is the right word) for Google Chrome that allows a devious person to create an infinite number of prompt/alert/confirm modal dialogue boxes using javascript. I have tested this on Google Chrome 5 and it basically hobbles the browser and prevents you from doing anything. Even checking the “Prevent this page from creating additional dialogs” does not work because I bypassed that with a simulated mouse click on the page, which I think is novel part.

    A malicious person could use this to keep you on a page and keep loading ads/exploits or they could try some social engineering and keep pestering a user for login names and passwords to their e-mail/social sites/banking/etc…

    I have created a demonstration page on my website at http://optimalcycling.com/BrowserSecurityTests/InfinitePromptBoxesOnLoad.html Note that you must have javascript enabled for the demo to work.

    A screenshot of this demo is below:
    http://img5.imageshack.us/img5/2724/infinitepromptsonload.jpg

    I've also wrote up a page about this on my website:
    http://optimalcycling.com/other-projects/browser-security-tests/

    I have also tested this on Internet Explorer 8 and Firefox 3.6 with javascript enabled. They both show an infinite number of prompt boxes. Safari likely will as well. Opera 10.6 also shows an infinite number of prompt boxes but it’s prompt boxes are non-modal so it is less serious. However, older versions of Opera do not have non-modal dialogue boxes.

    What do you guys think? Is this just an annoying problem or could someone really do something evil with it? By the way, I run with javascript off by default and whitelist as needed. I also wrote my own Google Chrome extension to block this and other types of pop up exploits so I'm pretty safe. But for the average person, this could be a problem.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Firefox 3.6

    With the exploit page open hold the esc key and hit cancel then middle click another link in the tab bar then left click the x in the tab of the exploit page to shut it down.

    Depress the esc key and hit cancel on the exploit dialogue.

    Some fake scan sites use a very similar tactic.
     
  4. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
  5. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
    I would have simply killed Firefox in the Task Manager. I think the best solution is in Opera 10.6 where the prompt/alert/confirm boxes are not modal at all and thus don't block you from closing the tab.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    I usually terminate FF's process through Sandboxie if need be as that's one of the safest ways to surf but used the scenario where I didn't want to lose my other open tabs.
     
  7. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
  8. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  9. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
    Ok, here's a curve ball for you guys: I can essentially DOS a computer by try to make the browser open a large number of windows by simply looping in javascript

    for(var i=0; i<9999999; i++)
    window.open ("http://www.google.com","_blank","status=1,toolbar=1");

    I've tried this on Google Chrome, but just limiting it to opening 50 windows at the same time. Why don't web browsers stop such a simply attack?
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Most webservers are on gigabit connections. Now assuming you we're actually requesting a fresh copy of that page every time instead of using a cached version which is what the browser does, it would still be no where near enough bandwidth to DOS the remote server.

    Also, I wouldn't be surprised if that loop locked your PC for a few seconds/minutes.
     
  11. Doritoes

    Doritoes Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    56
    I'm not talking about DOS the server, I talking about DOS the PC because with that simply loop, you would be required to restart your browser.
     
Loading...
Thread Status:
Not open for further replies.