The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018.
Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer.
The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page.
Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked.
Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.
Google devs were made aware of this campaign, and they fixed the issue starting in Chrome 65.0.3325.70.
"This is broken again in 67.0.3396.87," said the user who spotted the problem. "[I] stumbled upon this issue by a malicious redirect to a scam site that froze my browser," he added.
Other users confirmed his findings that the recent Chrome releases are now susceptible to download bombs again.
But the issue is also more widespread than initially thought. Jérôme Segura, the Malwarebytes security expert who first analyzed this issue in February, points out that Firefox is also affected.
Browlock freeze seems to be affecting latest version of Google Chrome again (https://t.co/9KIHSlcsws); also on Firefox (https://t.co/Au1vu7eH1B).— Jérôme Segura (@jeromesegura) June 22, 2018
Source: https://t.co/wNmghnrHAj pic.twitter.com/z8CROOMIZv
Opera froze for a short period, but it eventually allowed us to switch away from the PoC tab, although we needed to use the Windows Task Manager to close the browser, as the continuous downloads still happened in the background, jamming the rest of the interface afterward.
Our tests revealed that Microsoft Edge and Internet Explorer were not affected.
If you land on any tech support sites that use this trick and your browser is configured to open the last accessed site, it is possible to close the tech support site's tab before the download bomb kicks in.
This is because the tech support scam website loads the download bomb code after the entire page has loaded, giving users a few seconds to close the tab until the browser UI freezes.