 |
 |
Script in Web Page launching iTunes w/o any clicks
|
|
|
|
|
Forum Regular
Join Date: Feb 2001
Location: Pittsburgh, PA, USA
Status:
Offline
|
|
Question:
Today I was looking for information on ipod scpecifications and say an article on "iPod Diagnostic Mode" appear in my search results. I was curious to learn about this and clicked through on this link:
http://www.methodshop.com/mp3/ipodsu...iagnosticmode/
the web page loaded, then, automatically launched iTunes and took me to the store even though I'd not clicked on any links on the page itself!!!
What is the potential for automatic scripts run this way to do damage?
Are these just greedy bastards trying to profit from the iTunes affiliate program? Likely...is my guess, but it roasts my marshmallows to think they would do this without me consenting/clicking anything.
If I quit iTunes and relaunch it, is there any further association of my purchases with their underhanded "referral"?
I went to the same site in Camino to see what would happen and nothing did...thinking I need to turn off javascript, but yet Camino had Javascripts enabled....very strange...Tried to view page source but I'm not that sophisticated...anyone know what happened and if I need to take steps to clean my computer's links, caches, etc.?
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
It's just an ITMS link. iTunes is a handler for the ITMS protocol (for links to the Music Store) just like Safari is a handler for HTTP and Finder is a handler for FTP — those programs will open if a site redirects to an URL of that type. So it's not really any more dangerous than the programs you have on your computer.
And yeah, it's probably an attempt to cash in on the iTunes affiliate program. That's the sort of classy stuff I expect from a page riddled with IntelliTXT.
|
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2001
Location: Pittsburgh, PA, USA
Status:
Offline
|
|
Originally Posted by Chuckit
It's just an ITMS link. iTunes is a handler for the ITMS protocol (for links to the Music Store) just like Safari is a handler for HTTP and Finder is a handler for FTP —those programs will open if a site redirects to an URL of that type. So it's not really any more dangerous than the programs you have on your computer.
And yeah, it's probably an attempt to cash in on the iTunes affiliate program. That's the sort of classy stuff I expect from a page riddled with IntelliTXT.
Chuck:
Thanks for the reply...I would sooner gnaw off my arm than buy from a site that directs me to iTunes without my request...slimey so-and-sos.
Hope there isn't potential for someone to script the other handler apps to doing something other than just launching...with the bad news about scripts/viri/worms of late I guess I was edgy...
Welcome to the brave new world!
Thanks again.
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2001
Location: Pittsburgh, PA, USA
Status:
Offline
|
|
Relaunched the web page looking at it in Camino.
Unchecked the preference to block pop up windows and when loaded the page the warning message came up
"An external application must be launched to handle itms: links.
((displayed html link ...... ))
If you were not expecting this request in may be an attempt to exploit a weakness in that other program. Cancel this request unless you are sure it is not malicious."
with options buttons to Cancel or Launch Application, and a check box to "Remember my choice for all links of this type"
Now, THIS is how to handle something like this--Kudos to Camino!!
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Feb 2006
Status:
Offline
|
|
emark: Why? It's a safe protocol that Apple created, there is no need for warnings. Apple uses these links on their own website, why should there be a warning about it?
Calm down, it's not apocalypse yet...
And if you're so worried about this, even though there's no reason what-so-ever to be, turn on Pop-up blocking in Safari.
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2001
Location: Pittsburgh, PA, USA
Status:
Offline
|
|
Well, opening "safe" files was probably thought to be a "safe" protocol too until a few days ago.
If I had clicked on a link in the web page and then it launched a script to launch iTunes I would feel differently, but someone cramming it down my throat, whether a security threat (and really, can you tell me there isn't that potential, probably not...) or not, I don't wish for anyweb site to control my computer...Further, look at the problems of ActiveX on windows. I don't have the technical ability to evaluate whether the feature allows or has gaps (whether exploited yet or not), but I do know how I feel about a site hijacking my computer...I never liked popups, but this is another level of intrusion...it should be MY CHOICE to allow or disallow.
The way Camino handled it is my preference, and IMHO be default behavior...
I can understand that we may differ in opinion, but you did ask "Why?"
As far as Pop up blocking goes, Apple needs to implement the feature with site exceptions...there certainly are sites where it is necessart, eg. Ameritirade's Streamer, etc...for proper/desired function. Again, Firefox/Camino has done this right...
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Eh, Camino has done it a more complicated way. Safari is essentially focused on simplicity and ease of use. If you need high customizabilty without third-party addons or writing your own code, Safari isn't the browser for you.
Anyway, there was already a potential exploit of an application's URL schema quite a while back. If I recall, Help Viewer allowed you to specify an AppleScript file to run, which of course could allow for arbitrary code execution. That was fixed a good long while ago.
(Last edited by Chuckit; Feb 22, 2006 at 04:32 PM.
)
|
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2001
Location: Pittsburgh, PA, USA
Status:
Offline
|
|
I was early on the Camino bandwagon, left when dev. stopped and Safari surpassed, been splitting time, probably 85 Safari and 15 Firefox of late, but the new Camino w/ equivalent FireFox rendering engine is pretty slick...not withtout its own issues...but I think I'm going to start spending more time between the two.
Tried SAFT to augment Safari, and perhaps I am underutilizing it, but it doesn't have the exceptions feature available with FF and Camino...but is a great step in the right direction.
I do like the Safari integration with services for dictionary lookup, and generally find it fast and good--not on a witch hunt, but like you said Chuck
"focused on simplicity and ease of use. If you need high customizabilty without third-party addons or writing your own code, Safari isn't the browser for you."
Thanks for all the input...
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Yeah, I switch between browsers a lot too. None are quite all the way where I'd like.
|
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
