Firefox downloads a file, even if I choose "Cancel"
This is a security issue.
I have firefox set to always ask what to do with a download. However, a malicious website ad pushed the browser to a website posing as a firefox update site.
This fake site popped up a download window for an obviously fake firefox update. Knowing it was fake, and probably malicious, I clicked the cancel button to avoid any malicious code from getting on my PC.
However.... Firefox apparently started downloading the file before I could click cancel (probably as an idea to save time). The problem with this, is that Windows Defender detected the malicious file on the computer a few seconds later.
As the user, I clicked cancel. I would expect that THERE IS NO PART OF THE DOWNLOADED FILE anywhere on the computer unless I click "Save File".... It is a security risk to start downloading the file at all.
The file in question was located in C:\Users\MyName\AppData\Local\Temp\WNQJod1_.exe.part (which i assume is a random filename with ".part" added on while the file is only partially downloaded.)
Thankfully an antivirus program detected this flaw, but Firefox can do better by not auto-downloading any file until the user approves the process.
الحل المُختار
You may think that it is a security issue, but I disagree with you.
Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines
Read this answer in context 👍 0All Replies (8)
To test this safely for yourself, set your browser to "Always ask me where to save files" on the General tab of preferences.
After doing the above, visit the EICAR anti-virus test file download page.
http://www.eicar.org/85-0-Download.html
When you click on one of the downloadable test files, let the "Save as" dialog open, but DO NOT press any button. Just wait about a minute or less...
You antivirus software will notify you that a malicious file is on your computer.
Now, some people argue that clicking on the link to download a file is a request for the file made by the user, and that's why the download is begun before you finish selecting where to save the file. This can be considered incorrect in the event of a malicious website that prompts to download a file via an HTML "meta" tag, an HTTP header setting, or some other javascript mechanism that can start the browser downloading a file without the user initializing the action.
That is how it works in Firefox. Once you click the downloads button then Firefox start downloading the file in the background to the OS temp folder. When you cancel the download then Firefox will delete the file unless your security software is locking the file to prevent access.
I know that's how it works. This is a security issue I think development needs to fix. How do you post something so that they can fix it?
الحل المُختار
You may think that it is a security issue, but I disagree with you.
Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines
The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.
Firefox will (should) remove the file immediately when you cancel the download. If you do not open the file then there shouldn't be a problem.
See this article for a similar issue with the cache and security software.
rgagnon24 said
The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.
The fake firefox-patch.exe is not a issue in this case unless the user actually runs the .exe.
The response from cor-el with the link to:
https://support.mozilla.org/kb/Firefox+cache+file+was+infected+with+a+virus
seems to be about as far as anyone can go with this. It makes sense, and I know that not running the program means you won't get infected, unless there becomes a flaw in a program anywhere... such as Firefox, an antivirus program (which HAS happened in the past, IE: Sophos) or something else that might be forced into running a file that is on the disk.
I guess this ticket can be closed, but I still stand by the best practice of not doing something to a user's PC if their understanding is that nothing is being done. From the perspective of the user, the cancel button means nothing goes to disk, whereas it seems that Mozilla's position is that they can write anything they want as long as it goes into the cache without regard to what the user believes is happening.
This is similar to the government listening and recording phone calls just in case they need them in the future, but they might not keep them.