Just a warning: this will make your machine unusable by opening a bunch of pop-ups, download images, and playing annoying audio while flashing the screen.
It's wonderful to see that humanity has so many different definitions of 'sane'. Heterogeneity is beautiful; it makes browsing the internet like walking through a tropical jungle.
It escapes from being malicious only because it is very explicit on what it does. But it's very likely that are malicious links to it that hide its destiny.
And it's entirely what ad-blockers should be out to block. So, yes, good thing that it's blocked.
DO NOT CLICK OPEN THE REAL WEBSITE. Jeez, I just made that mistake. Omg, that was bad.
I can't perfectly describe what happens but I'll try — the page jumps around with a cat image, every time I try to kill it with cmd+w, it repawns into another small window. I think it remaps cmd+w to cmd+p, and just plays dubstep in the background. Oh, and at some point, a random cat headbanging cat appears, and the voices goes from saying "a-a-a-a-a-a-a-a-a" to "I can't see the inside of my mouth".
I think it also logged me out of gmail.
I had to kill Chrome. Don't open it in your main browser, use incognito mode, or the private browsing mode of a different browser so that you can kill the entire browser without losing HN access — because that's what you'll probably end up doing.
Edit: Oh, it seems to be easier to kill on Firefox. Also, it keeps asking for webcam and mic access, and to be set as the default application for bitcoin links?!!!
Edit: A way to get out without killing Chrome is: "press cmd+w" to get to the "print" screen. That seems to stop the windows from moving around. Then kill all the other windows first, and kill this "print" window last. You'll it say "please don't go" every time — but don't give in!
I somehow managed to escape without killing chrome, after I closed a dozen of the windows with a combination of cmd+w and clicking the close button. It definitely logged me out of my google and amazon accounts.
Microsoft Edge had no trouble dealing with it. I let it rip, with the adblocker off to see if it would crash. Handled it all fine. Then I just told it to close all the additional windows it brought up.
I laughed so hard reading your comment then sources. A bit unfortunate (or not), on mobile it doesn’t seem to do anything interesting other than pollute my history with a bunch of entries.
I did the same as you of curiosity and was wondering what this site is even supposed to do.
I guess my disabling of javascript by default to avoid annoyances, improve performance and save battery rendered the annoying part useless.
Sometimes I wish mozilla had chosen to make firefox more like opera (the real opera, not the chrome based one) and not like chrome with the quick disable/enable script setting instead of removing the possibility to disable javascript altogether. Actually I wish opera was still around to not have to deal with mozilla nonsense by resorting to using a different build (waterfox) to mitigate most of it.
Yeah I hate that they burried the option to disable JS and even worse to disable JS moving and resizing a window around the screen. At least make those things the end-user is asked for permission to allow.
I hate the dumbing-down of browser configuration (and UIs in general) too, but given the actual people who make the decisions on what browsers do, it's not surprising --- turning the userbase into obedient ad-clicking dummies (and preventing them from learning about e.g. the world of disabled JS) is the best way to monetise them, after all.
I think they can dumb it down if they want.... BUT have an 'advanced' button for people who know what they're doing. I wonder how simple of a plugin it could be to make a 'Firefox Config Plus' if one doesn't already exist...
That was awesome, although it sounds like it would have been more annoying if I wasn't using Firefox (which didn't make it too difficult to close the site).
Hats off to the guy, though - that was well trolled. :) And well worth it for these 2 gems alone:
/**
* Sites that link to theannoyingsite.com may specify `target='_blank'` to open the
* link in a new window. For example, Messenger.com from Facebook does this.
* However, that means that `window.opener` will be set, which allows us to redirect
* that window. YES, WE CAN REDIRECT THE SITE THAT LINKED TO US.
* Learn more here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
*/
function attemptToTakeoverReferrerWindow () {
if (isParentWindow && window.opener && !isParentSameOrigin()) {
window.opener.location = `${window.location.origin}/?child=true`
}
}
I checked in Chromium 70 and this only seems to work on the same origin - attempting to access `window.opener` cross-origin results in
Uncaught DOMException: Blocked a frame with origin "https://example.com" from accessing a cross-origin frame
The article linked in the code [0] and the MDN page for window.opener [1] mention the use of `rel="noopener"` to prevent `window.opener` from being set, but that it's not supported in all browsers - particularly Firefox, which needs `noreferrer`. I am sure CORS headers also play a role in protecting from this. OWASP
calls this technique 'reverse tabnabbing' [2].
There's a demo [3] of the effect - you can manually inspect the first link and change the href to [4] and then click the link to test how cross origin requests work.
So my understanding is that they just had to find a Google site capable of logout and has a weak CORS setting? Am I getting that right? Usually you would just configure, "no, don't accept VERBs from other origins."
I'd love to know why YouTube needs to allow logout from other origins.
40 comments
[ 3.6 ms ] story [ 88.3 ms ] threadIt was courteous of tosh to submit the source. For those who dare, the link is https://theannoyingsite.com.
(For... suitably small values of SFW?)
And it's entirely what ad-blockers should be out to block. So, yes, good thing that it's blocked.
It seems to be overreaching here as this is definitely not an ad.
I can't perfectly describe what happens but I'll try — the page jumps around with a cat image, every time I try to kill it with cmd+w, it repawns into another small window. I think it remaps cmd+w to cmd+p, and just plays dubstep in the background. Oh, and at some point, a random cat headbanging cat appears, and the voices goes from saying "a-a-a-a-a-a-a-a-a" to "I can't see the inside of my mouth".
I think it also logged me out of gmail.
I had to kill Chrome. Don't open it in your main browser, use incognito mode, or the private browsing mode of a different browser so that you can kill the entire browser without losing HN access — because that's what you'll probably end up doing.
Edit: Oh, it seems to be easier to kill on Firefox. Also, it keeps asking for webcam and mic access, and to be set as the default application for bitcoin links?!!!
Edit: A way to get out without killing Chrome is: "press cmd+w" to get to the "print" screen. That seems to stop the windows from moving around. Then kill all the other windows first, and kill this "print" window last. You'll it say "please don't go" every time — but don't give in!
Edit: here's a talk by the author: https://www.youtube.com/watch?v=6pY9Bfwfj2A
Of course, it did log me out of everything.
I guess my disabling of javascript by default to avoid annoyances, improve performance and save battery rendered the annoying part useless.
Sometimes I wish mozilla had chosen to make firefox more like opera (the real opera, not the chrome based one) and not like chrome with the quick disable/enable script setting instead of removing the possibility to disable javascript altogether. Actually I wish opera was still around to not have to deal with mozilla nonsense by resorting to using a different build (waterfox) to mitigate most of it.
I hate the dumbing-down of browser configuration (and UIs in general) too, but given the actual people who make the decisions on what browsers do, it's not surprising --- turning the userbase into obedient ad-clicking dummies (and preventing them from learning about e.g. the world of disabled JS) is the best way to monetise them, after all.
Hats off to the guy, though - that was well trolled. :) And well worth it for these 2 gems alone:
https://www.youtube.com/watch?v=MNyG-xu-7SQ
https://www.youtube.com/watch?v=nb1B3KI1u-I
There's a demo [3] of the effect - you can manually inspect the first link and change the href to [4] and then click the link to test how cross origin requests work.
[0] https://www.jitbit.com/alexblog/256-targetblank---the-most-u...
[1] https://developer.mozilla.org/en-US/docs/Web/API/Window/open...
[2] https://www.owasp.org/index.php/Reverse_Tabnabbing
[3] https://rawgit.com/waltertamboer/experiment-html-js-window-o...
[4] https://gitcdn.link/cdn/waltertamboer/experiment-html-js-win...
Didn't knew it was post possible to `js` fire a post on a third party website.
I'd love to know why YouTube needs to allow logout from other origins.
Some great links present there.
https://feross.org/webcam-spy/
https://feross.org/html5-fullscreen-api-attack/
https://feross.org/
http://www.filldisk.com/
https://developer.mozilla.org/en-US/docs/Web/API/Window/open