We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Natao arisiva ity resaka mitohy ity. Mametraha fanontaniana azafady raha mila fanampiana.

Firefox downloads a file, even if I choose "Cancel"

  • 8 valiny
  • 2 manana an'ity olana ity
  • 1 view
  • Valiny farany nomen'i rgagnon24

more options

This is a security issue.

I have firefox set to always ask what to do with a download. However, a malicious website ad pushed the browser to a website posing as a firefox update site.

This fake site popped up a download window for an obviously fake firefox update. Knowing it was fake, and probably malicious, I clicked the cancel button to avoid any malicious code from getting on my PC.

However.... Firefox apparently started downloading the file before I could click cancel (probably as an idea to save time). The problem with this, is that Windows Defender detected the malicious file on the computer a few seconds later.

As the user, I clicked cancel. I would expect that THERE IS NO PART OF THE DOWNLOADED FILE anywhere on the computer unless I click "Save File".... It is a security risk to start downloading the file at all.

The file in question was located in C:\Users\MyName\AppData\Local\Temp\WNQJod1_.exe.part (which i assume is a random filename with ".part" added on while the file is only partially downloaded.)

Thankfully an antivirus program detected this flaw, but Firefox can do better by not auto-downloading any file until the user approves the process.

This is a security issue. I have firefox set to always ask what to do with a download. However, a malicious website ad pushed the browser to a website posing as a firefox update site. This fake site popped up a download window for an obviously fake firefox update. Knowing it was fake, and probably malicious, I clicked the cancel button to avoid any malicious code from getting on my PC. However.... Firefox apparently started downloading the file before I could click cancel (probably as an idea to save time). The problem with this, is that Windows Defender detected the malicious file on the computer a few seconds later. As the user, I clicked cancel. I would expect that THERE IS NO PART OF THE DOWNLOADED FILE anywhere on the computer unless I click "Save File".... It is a security risk to start downloading the file at all. The file in question was located in C:\Users\MyName\AppData\Local\Temp\WNQJod1_.exe.part (which i assume is a random filename with ".part" added on while the file is only partially downloaded.) Thankfully an antivirus program detected this flaw, but Firefox can do better by not auto-downloading any file until the user approves the process.

Vahaolana nofidina

You may think that it is a security issue, but I disagree with you.

Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines

Hamaky an'ity valiny ity @ sehatra 👍 0

All Replies (8)

more options

To test this safely for yourself, set your browser to "Always ask me where to save files" on the General tab of preferences.

After doing the above, visit the EICAR anti-virus test file download page.

http://www.eicar.org/85-0-Download.html

When you click on one of the downloadable test files, let the "Save as" dialog open, but DO NOT press any button. Just wait about a minute or less...

You antivirus software will notify you that a malicious file is on your computer.

Now, some people argue that clicking on the link to download a file is a request for the file made by the user, and that's why the download is begun before you finish selecting where to save the file. This can be considered incorrect in the event of a malicious website that prompts to download a file via an HTML "meta" tag, an HTTP header setting, or some other javascript mechanism that can start the browser downloading a file without the user initializing the action.

more options

That is how it works in Firefox. Once you click the downloads button then Firefox start downloading the file in the background to the OS temp folder. When you cancel the download then Firefox will delete the file unless your security software is locking the file to prevent access.

more options

I know that's how it works. This is a security issue I think development needs to fix. How do you post something so that they can fix it?

more options

Vahaolana Nofidina

You may think that it is a security issue, but I disagree with you.

Feel free to file a Bugzilla report here: https://bugzilla.mozilla.org/ Read this first to learn how to write an effective Bug report. https://developer.mozilla.org/en/Bug_writing_guidelines

more options

The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.

more options

Firefox will (should) remove the file immediately when you cancel the download. If you do not open the file then there shouldn't be a problem.

See this article for a similar issue with the cache and security software.

more options

rgagnon24 said

The reason I believe that is because Firefox can allow a malicious file to be written to disk even if the user believes they are preventing it.

The fake firefox-patch.exe is not a issue in this case unless the user actually runs the .exe.

more options

The response from cor-el with the link to:

https://support.mozilla.org/kb/Firefox+cache+file+was+infected+with+a+virus

seems to be about as far as anyone can go with this. It makes sense, and I know that not running the program means you won't get infected, unless there becomes a flaw in a program anywhere... such as Firefox, an antivirus program (which HAS happened in the past, IE: Sophos) or something else that might be forced into running a file that is on the disk.

I guess this ticket can be closed, but I still stand by the best practice of not doing something to a user's PC if their understanding is that nothing is being done. From the perspective of the user, the cancel button means nothing goes to disk, whereas it seems that Mozilla's position is that they can write anything they want as long as it goes into the cache without regard to what the user believes is happening.

This is similar to the government listening and recording phone calls just in case they need them in the future, but they might not keep them.