Scammers have been found actively exploiting a bug in Firefox to trick unsuspecting people into believing that their computers have been hacked. What’s more, the attack urges users to call a fraudulent support line within five minutes to avoid having their systems disabled. The poorly worded message, which has all the hallmarks of a scam, reads below: Mozilla seems to be already aware of the issue for about three months now and is actively working to resolve it. “Basic auth confirmation prompts can be abused for spamming users and stealing focus from the main [browser] window,” goes the description of the bug report. The browser lock (or browlock) exploit, which affects both Windows and macOS versions, works by bombarding users with non-stop “authentication required” authorization prompts that prevent users from leaving or closing their browsers. In this case, malicious sites — such as d2o1sv4d11x6bc[.]cloudfront[.]net/firefox/index.html — have been specifically programmed via JavaScript to take advantage of the flaw to spam users with endless popups. It appears that, at least in one instance, the offending site was loaded upon clicking a harmless link, suggesting a form of URL hijacking attack.
— Jérôme Segura (@jeromesegura) November 4, 2019 To get around the problem, you will have to manually terminate the browser process via the Windows Task Manager or use the Force Quit feature in macOS. But there’s a catch: if you’ve turned the restore tabs option on, you’ll be stuck in a perptual loop, with the only option being disconnecting from the internet before opening the browser again. It’s worth noting that Mozilla issued a fix for login prompt spam some 12 years after being reported starting with Firefox 68 back in July. The fact that attackers have already devised an active workaround indicates that bad actors are constantly looking for ways to beat security defenses built into software to further their aims.
