Firefox Download Bug Could Crash Windows

John Lister's picture

A security researcher has found a way to crash the Firefox browser and even Windows itself. Sabri Haddouche has demonstrated the technique to highlight the risk that it could be misused.

The bug is shown off at Haddouche's site Browser Reaper, which he created to chart his interest in denial of service attacks. Normally such attacks involve flooding a website with bogus visits until it is overloaded and becomes unavailable to ordinary users.

However, Haddouche has been exploring the technique from the other perspective: forcing a browser to deal with so much traffic that it crashes.

Epic Name Causes Delay

In this case he has combined two ways to exploit the way a browser downloads files from websites. Not only does his technique force the computer to download the same file around a thousand times every second, but the file has a name that is exceptionally long.

When different parts of the browser software try to handle the download, the delay caused by handling the long filename is enough to cause a backlog with the next attempt to download the same file. That process repeats and stacks up until the browser stops responding completely. (Source:

In some cases that's the end of the matter. In others, the endless loop means that Firefox uses so much memory that Windows itself comes to a halt and needs a hard reboot (that is, physically turning the computer off).

Demo Allows Self-Destruction

On Browser Reaper, the bug can only be triggered by intentionally pressing the button to demonstrate the technique, something that's obviously not a smart idea for anyone who isn't keenly interested in security and computer coding.

However, the same technique could theoretically be used by troublemakers either by creating a misleading download link or taking advantage of other browser bugs that let sites start a download without any user action, known as a drive-by attack. It could also be useful for people who hack a website and want to deter visitors.

Haddouche has reported the bug to Mozilla. He says the easiest way to fix it is to change Firefox's code such that it will only download a certain number of files from a website before asking the user to actively confirm that they want to continue the downloads. (Source:

What's Your Opinion?

Do you think there's a real risk people will abuse this technique? Should Haddouche have given Firefox time to fix the bug before going public? Are you surprised that a major browser should be vulnerably to such a simple (in principle at least) attack?

Rate this article: 
Average: 5 (5 votes)


gdday_6551's picture

Definitely should have given Firefox more time.

sirpaultoo's picture

Why single out Firefox?
Sabri's site claims it can crash Chrome, Safari, (and Firefox) on command, as well as Safari iOS and Chrome OS. The Chrome version also crashes Microsoft Edge.
This comes only a week after he disclosed a new web code exploit that can cause an iPhone to crash, and two weeks ago found a bug that could crash all WebKit-based apps on iPhones, iPads, and Macs.
Sabri seems to be another one of those geniuses who have no common sense and no respect for others.
If Sabri didn't notify anyone before going public, he's as bad as the malware developers themselves, and should be shunned by the security community.