Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: incrediBILL

Message Too Old, No Replies

Does anyone know how this works?

     
6:17 pm on Apr 27, 2001 (gmt 0)

Junior Member

10+ Year Member

joined:July 15, 2000
posts:188
votes: 0


I was surfing aaddultt pages looking for new javascripts and found a page that executes a "stealth bookmark" through <iframe> tags(1 x 1 pixel) that places stealth favorites in IE. It goes under the disguise of "www.domain.com/hitcount.html?account=site" but installs 2 favorites (1 is the site and 1 is the sponsor) w/o the users knowledge (unless you surf w/ the favorites window open).

How is this done?

LS

Xoc

6:14 am on Apr 29, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
posts:1437
votes: 0


The following code should add a favorite to the IE favorites, but it is supposed to ask you first if it can do that. I haven't used it, just found it from the Microsoft web site while looking for something else.

<SCRIPT>
<!--
if ((navigator.appVersion.indexOf("MSIE") > 0)
&& (parseInt(navigator.appVersion) >= 4)) {
document.write("<U>
<SPAN STYLE='color:blue;cursor:hand;'
onclick='window.external.AddFavorite(location.href, document.title);'>
Add this page to your favorites</SPAN>
</U>");
}
//-->
</SCRIPT>
6:48 am on Apr 29, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts:37301
votes: 0


Just guessing here --

I'm wondering what would happen in the code Xoc posted if the onClick event handler was replaced with something more common than a click, say, onMouseOver. And the SPAN was not text but a clear gif that stretched the length of the page on the right hand side, where the cursor is most likely to be.

If that works, it's still devious and invasive, but at least it's not a total security hole. I really hope there's no way to place a favorite without any user action at all (for instance, onLoad)

Xoc

6:58 am on Apr 29, 2001 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
posts:1437
votes: 0


The critical code is:

window.external.AddFavorite(location.href, document.title);

So if you put that on an onLoad, it should actually try to add it to your favorites. But it is supposed to ask you first. I'm too jet-lagged right now to try it.

10:27 am on Apr 29, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 21, 2001
posts:419
votes: 0


I once noticed that a site both added itself to my bookmarks and changed my home page to itself without even asking:(
To make it more disturbing i'd been looking at a computer security related page that had a risque ad pop up, it was this pop up that seemed to have done it and.... my home page was now a porn site!
2:01 pm on Apr 29, 2001 (gmt 0)

Junior Member

10+ Year Member

joined:July 15, 2000
posts:188
votes: 0


This works but still asks for a user prompt alert box:

<SCRIPT>
//window.external.ImportExportFavorites(1,"c:\\fav.imp");
window.external.ImportExportFavorites(1,"http://www.domain.com/fav.imp");
</SCRIPT>

In another file fav.imp
(netscape bookmark file)

<!DOCTYPE NETSCAPE-Bookmark-file-1>
<DL>
<DT><A HREF="********URL HERE********">TITLE</A>
<DT><A HREF="*********URL HERE************">TITLE</A>
</DL>

But this asks for a prompt similar to the "set your home page to xyz.com" alert box. Must be missing something that keeps it stealth. Definitely some sort of hackkkkk. That site I found that imported the favorites had no alert box and the whole thing operated from 1x1 <Iframes> without user knowledge.

Source: [guninski.com...]

LS

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members