Ask HN: How did they do this?
First of all, I'm sorry for the nondescript title. I don't know how else to ask.
I visited this website (http://chemistry.tutorvista.com/organic-chemistry/nitro-group.html) and was immediately greeted with a Google Chat-like message in the bottom right corner. Here's the transcript:
Tutor: Hi, I'm a Chemistry Tutor.
May I help you?
Do you want to take a free tutoring session with me?
me: o.O
Tutor: Let us start working on the whiteboard.
Please wait while the whiteboard loads
Redirecting to whiteboard
In less than 30 seconds after loading, someone had managed to engage a conversation with me and redirect my browser, without my consent, to their "Whiteboard" page. I am using Ghostery with NoScript in Firefox 20 on OS X. The only page with JS enabled was TutorVista's, so everything was apparently done on-page.How did they do this, and does this pose a security threat?
By the time I finished writing this, FF pushed an update. I'll try again under 21 to see if it still works.
Update: It still works in 21. It seemed very real at first, but I'm pretty sure it's a trigger-redirect. The messages are exactly the same. Still, I'm suspicious of how kosher the script is.
6 comments
[ 5.3 ms ] story [ 24.8 ms ] threaddocument.location.href = "http://www.google.com/ "
or the HTML meta redirect:
<meta http-equiv="refresh" content="0;url=http://www.google.com/ ">
Both of which can redirect your browser to another location.
-------------------------------
After reviewing the source code, they use javascript to submit a form which redirects you to another website, carrying along some marketing data such as what brought you to them, etc.
The Javascript is run from here: http://image.tutorvista.com/js/top_chat_box_popup.js?17
The code responsible for redirecting you is here: function startMsg_popup(type) { if(type == 'payment'){ addMsg_popup(tutor_name,"We have the right package for you.",1500,function(){ addMsg_popup(tutor_name,"Please answer a few questions on the following page.",1500, function(){ addMsg_popup("sys","Loading Questionare",500,function(){ gotoquestionare_popup(); }); }); });
}Edit: More details there is a function called "areakeyup_popup" which is called every on every keyup event. It checks to see if the enter key was pressed. If it does it calls "startMsg_popup" which springs into action the "Please wait while the whiteboard loads" message, before calling, "gotowhiteboard_popup" which creates and submits a form for you pragmatically, `redirecting` you to their `whiteboard`.
with their own JavaScript of http://image.tutorvista.com/js/buynow_popup.js?9
It's not a real person.