

Ask HN: How did they do this? - chm

First of all, I'm sorry for the nondescript title. I don't know how else to ask.<p>I visited this website (http://chemistry.tutorvista.com/organic-chemistry/nitro-group.html) and was immediately greeted with a Google Chat-like message in the bottom right corner. Here's the transcript:<p><pre><code>  Tutor:  Hi, I'm a Chemistry Tutor.
  May I help you?
  Do you want to take a free tutoring session with me?
  me:  o.O
  Tutor:  Let us start working on the whiteboard.
  Please wait while the whiteboard loads
  Redirecting to whiteboard
</code></pre>
In less than 30 seconds after loading, someone had managed to engage a conversation with me and redirect my browser, without my consent, to their "Whiteboard" page. I am using Ghostery with NoScript in Firefox 20 on OS X. The only page with JS enabled was TutorVista's, so everything was apparently done on-page.<p>How did they do this, and does this pose a security threat?<p><i>By the time I finished writing this, FF pushed an update. I'll try again under 21 to see if it still works.</i><p>Update: It still works in 21. It seemed very real at first, but I'm pretty sure it's a trigger-redirect. The messages are exactly the same. Still, I'm suspicious of how kosher the script is.
======
Jeremy1026
It isn't a real person, its all done in Javascript. Seems to me like your
NoScript isn't working properly, or isn't configured properly.

The Javascript is run from here:
<http://image.tutorvista.com/js/top_chat_box_popup.js?17>

The code responsible for redirecting you is here: function
startMsg_popup(type) { if(type == 'payment'){ addMsg_popup(tutor_name,"We have
the right package for you.",1500,function(){ addMsg_popup(tutor_name,"Please
answer a few questions on the following page.",1500, function(){
addMsg_popup("sys","Loading Questionare",500,function(){
gotoquestionare_popup(); }); }); });

    
    
        }
        else{ 
            addMsg_popup(tutor_name,"Let us start working on the whiteboard.",2000,function(){
                addMsg_popup(tutor_name,"Please wait while the whiteboard loads",2000, function(){
                    addMsg_popup("sys","Loading Whiteboard",1000,function(){
                        gotowhiteboard_popup();
                    });
                });
            });
        }

}

Edit: More details there is a function called "areakeyup_popup" which is
called every on every keyup event. It checks to see if the enter key was
pressed. If it does it calls "startMsg_popup" which springs into action the
"Please wait while the whiteboard loads" message, before calling,
"gotowhiteboard_popup" which creates and submits a form for you pragmatically,
`redirecting` you to their `whiteboard`.

------
shanelja
Presumably, they either used Javascript via:

document.location.href = "<http://www.google.com/> "

or the HTML meta redirect:

<meta http-equiv="refresh" content="0;url=<http://www.google.com/> ">

Both of which can redirect your browser to another location.

~~~
chm
So the redirect was there all along, waiting for a trigger?

~~~
shanelja
More than likely, the way I would do it would be to wait for content entry,
IE, your "o.O", post my message along with a redirect for a few seconds lag.
To give you time to read that you were being redirected before redirecting
you.

~~~
shanelja
I was wrong

\-------------------------------

After reviewing the source code, they use javascript to submit a form which
redirects you to another website, carrying along some marketing data such as
what brought you to them, etc.

------
benologist
They have an iFrame of
[http://www.tutorvista.com/iframe_container/iframe_popup_buyn...](http://www.tutorvista.com/iframe_container/iframe_popup_buynow)

with their own JavaScript of
<http://image.tutorvista.com/js/buynow_popup.js?9>

It's not a real person.

