Researcher Sabri Haddouche, a security researcher with Wire, on Sunday released the source code for the attack, which he included in a series of browser bugs dubbed Browser Reaper, which he said could crash Firefox versions 62.0.2 and earlier.
Haddouche has also released Browser Reaper source code for Chrome (including Chrome 69, ChromeOS 69 and earlier), as well as Safari (Safari iOS and macOS from 9.0 to 12.0).
“What happen is that we generate a file (a blob) that contains an extremely long filename and prompt the user to download it every 1ms, therefore it [floods] the IPC channel between the child and main process, making the browser at very least freeze,” Haddouche told Threatpost in a message.
Haddouche tested the attack on Mac and Linux systems, which then triggered the “Mozilla Crash Reporter” notification.
A victim would need to visit a page that contains the attack source code. There is currently no way to mitigate the attack, Haddouche told Threatpost.
Mozilla did not respond to a request for comment from Threatpost regarding the attack. However, Haddouche said he has notified the company about the PoC, and they are working on a file download limitation for the browser so that the IPC channel would not be flooded by long filenames being continuously downloaded.
Once this feature is released, it should resolve the issue, said Haddouche: “However, this new feature has not been seen anywhere so far, even in the most experimental version of Firefox (Nightly),” he said.