That is one hella annoying link. Maybe a bit more of a warning (ie. what it does) would be a good idea?

I suppose that is just my stupidity for clicking the link instead of checking out what it does first...

Er, yeh... a warning would have been nice.

uhm... so what *is* on that page?

Er... yeah, I'm gonna have to agree with the warning thing. If I had known it would do something so bloody annoying, I wouldn't have clicked it.

Anyway, what it does is launch Terminal and spawns what seems to be an endless amount of windows til its Force Quitted (I know that's not a word). Worse yet, it relaunches itself unless Safari's been quit too.

I know not the technical terms for it if people want that, but it's a sure-fire way to annoy the crap out of someone.

(Or crash them if running Windows perhaps? :P)

I agree with the previous comments, you could've posted a warning, not just a fiendishly inviting clickable link.

Had to force quit Terminal and Safari -- made me lose my America's Army download that was running in curl under Terminal. It was at 87 percent. Now it won't resume the transfer. Thanks.

Come on! If his description didn't warn you, at least the name of the page should have. For all you know, it could have crashed your computers. Don't click if you're not willing to pay.

Well, I just looked at the source, and it's not COMPLETELY malicious.

It will stop after having opened 800 Terminal windows.... So you didn't HAVE to force-quit Terminal :)

I'll bet BareBones is proud to have their product name in the source, too....

"For all you know, it could have crashed your computers."

Not exactly. His description mentioned Safari becoming unresponsive. That was something I and probably the others were prepared for, but not the other bit that wasn't mentioned...

I'm not sure what part of "malicious" people do not understand ;)

Maybe people need to stop reading this blog, since they do not seem to be able to comprehend "malicious-iframe-script". Sheesh.

If that link upsets you all, I'd really hate to see you when something really bad happens. LOL -- it was a link that opened a few Terminal windows. Laugh.

Maybe the point is to prove out the advantages Camino still has over Safari. All I had to do is close the window in Camino.... no force quit required..... except for the Terminal of course. Good to know that people are laying the groundwork for the coming OSX virus attacks. Maybe Apple can release a security update or something to prevent this kind of thing before it causes real damage.

oooo...i'm so angry at whoever wrote that script...i will break my foot off in their @$$

Here's the source ... with brackets instead of HTML, just in case it'd render within the comments.

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd"]
[html]
[head]
[title]Untitled[/title]
[meta name="generator" content="BBEdit 6.5.3"]
[/head]
[body]

[script type="text/javascript"]
for (var loopVar = 1; loopVar [= 800; loopVar++)
document.write("[iframe src=telnet://towel.blinkenlights.nl][/iframe]")
next
[/script]

[/body]
[/html]

You enjoy this, don't you, Rosyna?

"made me lose my America's Army download that was running in curl under Terminal"

curl -O -C http://... (or something like that)

continue download :-)

It's not that I can't understand the word "malicious."

If you were talking about a virus, would you link to a page about the virus or the virus itself? Same deal here.

For those that are interested in what happens under the same circumstances on MS Windows (2000) is exactly the same thing. It spawns a multitude of telnet sessions and IE becomes unresponsive.

Response: Force-Quit IE and quit all the Telnet sessions by hand (Alt-F4).

Hehe just tried it on a slower machine running 2000 client and it the whole machine was practically comatose.

I'm using Safari (for which I am thanked at the bottom of the page, dispite being insulted for it at the top), and I don't know why people had to Force Quit anything. I just quit the Terminal (Cmd-Q), and closed the offending Safari window (Cmd-W). Nothing was ever unresponsive. Perhaps it would be hard to close all of those windows individually with the mouse, but I'm not dumb enough to try.

I don't see what the argument against Safari is. I mean, what part of the W3C spec says NOT to open non-http URLs in iframes? Yeah, it's obviously wrong behavior, but I doubt it's ever even remotely touched upon in the spec. You may not be aware of this, but W3C specs are always overwhemingly incomplete, because the people who write them don't have to implement them. Also recall that browser popup windows ARE a part of the W3C spec for JS. When they wrote the thing, nobody realized that assclowns would start using them them for bombarding you with advertisements.

Safari just assumes that URLs in iframes should be treated just like any other. And what does Safari do when you click a telnet:// link? It opens telnet. Of course the spec doesn't say to do so : because nobody would ever use a non-http URL in an iframe.

You claim that the link could have potentially done something much worse, but really, that's stretching it a bit. This isn't a buffer overflow or anything that's a mark of bad design -- you can't run arbitrary code. All you can really do is launch apps with the same arguments as any normal link. What are you going to do next? Use mailto: ? gopher: ? I'm shaking in my boots.

This is not a security issue, it is not exploitable, it is extremely easy to fix with a few lines of sanity-checking.

Ok Rosyna, now you're getting ME in trouble ;).
So to all who wonder why I wrote this page, Rosyna posted a link on my bbs site to a very similar page, but that other page 1) had a .jpg extension and 2) used vbscript. The initial assumption was this demonstrated an exploit unique to PCs. So I took up the challenge and wrote a javascript version of the page to demonstrate that Mac users can be inconvenienced by this particular code too. On MY site I have a nice disclaimer next to the link ;).

For a good time e-mail me for more info.

Unfortunately I don't run Mac's all the time, so I tried this on a machine I don't care about and expect to crash(ie. win2k),,,,, It tried real hard to dump the box, but I managed to get the link. (I just HAD to see what would happen)

Afterwards,,,, I telneted into towel.blinkenlights.nl and it's actually pretty neat. While I don't know what will happen via an Os X term specifically, it should be the same as what I'm gettting via SecureCRT and seems pretty innocuous.

Someone probably posted the link to a blog and discovered the mess it causes.

This sort of "attack" might be no big deal for the victim who clicks on the link, but it's a fairly good way to overwhelm the telnet server. i'd love to watch star wars in ascii, but now this script is making the rounds of the internet (i came across it in trojan horse form--serves me right for downloading cracks) that pleasure will never be mine.