
The Annoying Site: Source - tosh
https://theannoyingsite.com/index.js
======
amingilani
DO NOT CLICK OPEN THE REAL WEBSITE. Jeez, I just made that mistake. Omg, that
was bad.

I can't perfectly describe what happens but I'll try — the page jumps around
with a cat image, every time I try to kill it with cmd+w, it repawns into
another small window. I think it remaps cmd+w to cmd+p, and just plays dubstep
in the background. Oh, and at some point, a random cat headbanging cat
appears, and the voices goes from saying "a-a-a-a-a-a-a-a-a" to "I can't see
the inside of my mouth".

I think it also logged me out of gmail.

I had to kill Chrome. Don't open it in your main browser, use incognito mode,
or the private browsing mode of a different browser so that you can kill the
entire browser without losing HN access — because that's what you'll probably
end up doing.

Edit: Oh, it seems to be easier to kill on Firefox. Also, it keeps asking for
webcam and mic access, and to be set as the default application for bitcoin
links?!!!

Edit: A way to get out without killing Chrome is: "press cmd+w" to get to the
"print" screen. That seems to stop the windows from moving around. Then kill
all the other windows first, and kill this "print" window last. You'll it say
"please don't go" every time — but don't give in!

~~~
cosmojg
As someone who browses the internet with JavaScript disabled by default, I've
never felt more vindicated.

~~~
GLjEI4YbnGD27LB
Exactly, it's just a white page for me.

------
hartator
> 'YouTube': ['POST', '[https://www.youtube.com'](https://www.youtube.com'),
> {'action_logout': '1'}]

Didn't knew it was post possible to `js` fire a post on a third party website.

~~~
Waterluvian
So my understanding is that they just had to find a Google site capable of
logout and has a weak CORS setting? Am I getting that right? Usually you would
just configure, "no, don't accept VERBs from other origins."

I'd love to know why YouTube needs to allow logout from other origins.

------
gbuk2013
That was awesome, although it sounds like it would have been more annoying if
I wasn't using Firefox (which didn't make it too difficult to close the site).

Hats off to the guy, though - that was well trolled. :) And well worth it for
these 2 gems alone:

[https://www.youtube.com/watch?v=MNyG-
xu-7SQ](https://www.youtube.com/watch?v=MNyG-xu-7SQ)

[https://www.youtube.com/watch?v=nb1B3KI1u-I](https://www.youtube.com/watch?v=nb1B3KI1u-I)

------
dang
Brief but revealing discussion from a year ago:
[https://news.ycombinator.com/item?id=15935568](https://news.ycombinator.com/item?id=15935568).

It was courteous of tosh to submit the source. For those who dare, the link is
[https://theannoyingsite.com](https://theannoyingsite.com).

~~~
landa
Just a warning: this will make your machine unusable by opening a bunch of
pop-ups, download images, and playing annoying audio while flashing the
screen.

~~~
bigbugbag
Or will have no effect if you disable javascript by default as any sane person
should do.

~~~
zethraeus
It's wonderful to see that humanity has so many different definitions of
'sane'. Heterogeneity is beautiful; it makes browsing the internet like
walking through a tropical jungle.

------
maddyboo
This is interesting

    
    
      /**
       * Sites that link to theannoyingsite.com may specify `target='_blank'` to open the
       * link in a new window. For example, Messenger.com from Facebook does this.
       * However, that means that `window.opener` will be set, which allows us to redirect
       * that window. YES, WE CAN REDIRECT THE SITE THAT LINKED TO US.
       * Learn more here: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
       */
      function attemptToTakeoverReferrerWindow () {
        if (isParentWindow && window.opener && !isParentSameOrigin()) {
          window.opener.location = `${window.location.origin}/?child=true`
        }
      }
    

I checked in Chromium 70 and this only seems to work on the same origin -
attempting to access `window.opener` cross-origin results in

    
    
      Uncaught DOMException: Blocked a frame with origin "https://example.com" from accessing a cross-origin frame
    

The article linked in the code [0] and the MDN page for window.opener [1]
mention the use of `rel="noopener"` to prevent `window.opener` from being set,
but that it's not supported in all browsers - particularly Firefox, which
needs `noreferrer`. I am sure CORS headers also play a role in protecting from
this. OWASP calls this technique 'reverse tabnabbing' [2].

There's a demo [3] of the effect - you can manually inspect the first link and
change the href to [4] and then click the link to test how cross origin
requests work.

[0] [https://www.jitbit.com/alexblog/256-targetblank---the-
most-u...](https://www.jitbit.com/alexblog/256-targetblank---the-most-
underestimated-vulnerability-ever/)

[1] [https://developer.mozilla.org/en-
US/docs/Web/API/Window/open...](https://developer.mozilla.org/en-
US/docs/Web/API/Window/opener)

[2]
[https://www.owasp.org/index.php/Reverse_Tabnabbing](https://www.owasp.org/index.php/Reverse_Tabnabbing)

[3] [https://rawgit.com/waltertamboer/experiment-html-js-
window-o...](https://rawgit.com/waltertamboer/experiment-html-js-window-
opener-vuln/master/public/index.html)

[4] [https://gitcdn.link/cdn/waltertamboer/experiment-html-js-
win...](https://gitcdn.link/cdn/waltertamboer/experiment-html-js-window-
opener-vuln/master/public/vulnerable.html)

------
khrm
The author gave a talk on this:
[https://www.dotconferences.com/2017/12/feross-
aboukhadijeh-t...](https://www.dotconferences.com/2017/12/feross-aboukhadijeh-
the-most-annoying-website)

Some great links present there.

[https://feross.org/webcam-spy/](https://feross.org/webcam-spy/)

[https://feross.org/html5-fullscreen-api-
attack/](https://feross.org/html5-fullscreen-api-attack/)

[https://feross.org/](https://feross.org/)

[http://www.filldisk.com/](http://www.filldisk.com/)

[https://developer.mozilla.org/en-
US/docs/Web/API/Window/open](https://developer.mozilla.org/en-
US/docs/Web/API/Window/open)

------
bonetruck
Disappointed that I wasn't logged out of Hacker News when visiting the site...
Where is the love Annoying Site?

------
LeoPanthera
Interesting that this entire domain is blocked as malicious by my ad blocker.

~~~
SOLAR_FIELDS
It also seems to be on pi-hole’s list of blocked domains that it uses, as I
don’t resolve DNS when I try to access it from behind my pi-hole.

~~~
IE6
Yeah my pi-hole blocked this one too and after reading the comments here I am
glad :)

------
notananthem
I control w'ed twice and got out of it. Maybe I have chrome dialed up to the
max?

------
Tempest1981
Extensively commented source code. I rarely see JavaScript like this.

------
nunodonato
maybe it targets chrome users. In firefox it was mildly annoying but very easy
to kill. I did get logged out from youtube, but no big deal

------
mbrownnyc
Glad I found this video:
[https://theannoyingsite.com/hasan.mp4](https://theannoyingsite.com/hasan.mp4)

------
tejtm
be afraid. if you must, use a distinct browser you can kill.

------
wwarner
Made me laugh

