Another site with same behavior:

http://mravir.info/1257853/fabzkray.php?bt=12863&uzr=il&netw=undefined&country=IT&cid=wIPOKAVSOKDHM9D31BNH3F52

Thanks for the report!

Hey meacer/avi: #1 is a great example of a horrible combination of modal prompts and extension install prompts that somehow combine in such a way that it's impossible to do anything other than install the extension or kill chrome. 

It's worth testing the link to see the behavior, just be careful not to add the extension. There may be existing bugs about this so we can de-dupe this if needed.

I reported the website to sbops. 

Both pages seem to be down.

@alessio.dimaria, raymes: Did you have a copy of the pages by any chance?

Ping :) I don't think there is much we can do without the POCs. I'm closing the bug as wontfix, but happy to reopen if you can provide details.

Did the attack involve the page opening fake install dialogs, then switching the buttons to trick the user to accept the dialog?

I'll post another link, 
That servers appears and disappears,
But please, there are many behaviours of redirected pages, and i don't know what there is in the http headers,

I'll use a proxy to give you a .dat

Thx

Found another url, same thing, please in resources look at "humir.png"
http://h12uhrj21.ru/tesliand/it/index.php?Repair

Deleted: Traffic.dat 47.6 KB

Traffic.dat 47.6 KB Download

Deleted: Traffic Resources.tar 334 KB

Traffic Resources.tar 334 KB Download

Another link:
http://h12uhrj21.ru/tesliand/it/index.php?Repair

Deleted: Traffic Resources.tar 334 KB

Traffic Resources.tar 334 KB Download

Deleted: Traffic.dat 47.6 KB

Traffic.dat 47.6 KB Download

Found another link:
http://h12uhrj21.ru/tesliand/it/index.php?Repair

If i attach files my comments appear as "Deleted"..?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Here all data about the session

Deleted: Traffic Resources.tar 383 KB

Traffic Resources.tar 383 KB Download

You're crazy, i was not able to upload Details about this issue in last months for security restriction on this bug report.

@alessio.dimaria: The bug was automatically opened up by a bot. You should have been able to access the bug since you are the reporter. Was that not the case?

Sorry, looks like your comments #8, #9 and #10 were marked as spam which is why I didn't notice them. Not sure if that was the spam filter or someone else marked them as such.

meacer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

meacer: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Is there any work to do here any more? I know our behaviors have changed a bit around prompts in the last few releases.

Typically we track sites like these as abuse issues rather than security bugs, but this one is currently tagged at Medium severity without a working repro.

There are bunch of different things going on here:

1. The page tries to clickjack extension install dialog by first showing a fake prompt, then showing the real prompt with the buttons switched. This is being fixed in bug 394518 (we already have a delay on Windows before the user can accept the dialog)
2. The page steals focus by showing alerts. Avi has been doing a lot of work in this area:
- Tabs showing alert dialogs can now be killed
- There is an intent to deprecate and remove for alert() activating tabs (https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/5ia5klTZjwA)
3. The page uses inline install while in fullscreen mode. This was blocked in  bug 488143 , though there is still follow up work in bug 695266 and bug 734396.
4. There is an audio playing while inline install dialog is display. This is  bug 659724 .
5. Inline install dialogs should ideally be throttled. This is  bug 581763  and bug 697569.

Some of these have been fixed and others are already tracked, so I don't think there is anything left to do in this bug. As such I'm closing it.

Also note that most of these bugs were reported before this one, except bug 695266, bug 734396 and bug 697569. Bug 695266 and bug 734396 were filed as direct follow ups to  bug 488143 .

alessio.dimaria@: Please let me know if I missed anything.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot