homepage Welcome to WebmasterWorld Guest from 54.166.111.111
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Does anyone know how this works?
linkshark




msg:660202
 6:17 pm on Apr 27, 2001 (gmt 0)

I was surfing aaddultt pages looking for new javascripts and found a page that executes a "stealth bookmark" through <iframe> tags(1 x 1 pixel) that places stealth favorites in IE. It goes under the disguise of "www.domain.com/hitcount.html?account=site" but installs 2 favorites (1 is the site and 1 is the sponsor) w/o the users knowledge (unless you surf w/ the favorites window open).

How is this done?

LS

 

Xoc




msg:660203
 6:14 am on Apr 29, 2001 (gmt 0)

The following code should add a favorite to the IE favorites, but it is supposed to ask you first if it can do that. I haven't used it, just found it from the Microsoft web site while looking for something else.

<SCRIPT>
<!--
if ((navigator.appVersion.indexOf("MSIE") > 0)
&& (parseInt(navigator.appVersion) >= 4)) {
document.write("<U>
<SPAN STYLE='color:blue;cursor:hand;'
onclick='window.external.AddFavorite(location.href, document.title);'>
Add this page to your favorites</SPAN>
</U>");
}
//-->
</SCRIPT>

tedster




msg:660204
 6:48 am on Apr 29, 2001 (gmt 0)

Just guessing here --

I'm wondering what would happen in the code Xoc posted if the onClick event handler was replaced with something more common than a click, say, onMouseOver. And the SPAN was not text but a clear gif that stretched the length of the page on the right hand side, where the cursor is most likely to be.

If that works, it's still devious and invasive, but at least it's not a total security hole. I really hope there's no way to place a favorite without any user action at all (for instance, onLoad)

Xoc




msg:660205
 6:58 am on Apr 29, 2001 (gmt 0)

The critical code is:

window.external.AddFavorite(location.href, document.title);

So if you put that on an onLoad, it should actually try to add it to your favorites. But it is supposed to ask you first. I'm too jet-lagged right now to try it.

theperlyking




msg:660206
 10:27 am on Apr 29, 2001 (gmt 0)

I once noticed that a site both added itself to my bookmarks and changed my home page to itself without even asking:(
To make it more disturbing i'd been looking at a computer security related page that had a risque ad pop up, it was this pop up that seemed to have done it and.... my home page was now a porn site!

linkshark




msg:660207
 2:01 pm on Apr 29, 2001 (gmt 0)

This works but still asks for a user prompt alert box:

<SCRIPT>
//window.external.ImportExportFavorites(1,"c:\\fav.imp");
window.external.ImportExportFavorites(1,"http://www.domain.com/fav.imp");
</SCRIPT>

In another file fav.imp
(netscape bookmark file)

<!DOCTYPE NETSCAPE-Bookmark-file-1>
<DL>
<DT><A HREF="********URL HERE********">TITLE</A>
<DT><A HREF="*********URL HERE************">TITLE</A>
</DL>

But this asks for a prompt similar to the "set your home page to xyz.com" alert box. Must be missing something that keeps it stealth. Definitely some sort of hackkkkk. That site I found that imported the favorites had no alert box and the whole thing operated from 1x1 <Iframes> without user knowledge.

Source: [guninski.com...]

LS

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved