[Webkit-unassigned] [Bug 7412] New: Launch other application, opening for exploit, beyond PopUp, no user input

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Tue Feb 21 21:16:16 PST 2006


           Summary: Launch other application, opening for exploit, beyond
                    PopUp, no user input
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
               URL: http://www.methodshop.com/mp3/ipodsupport/diagnosticmode
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: JavaScript
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: emark2k at yahoo.com

Today I was looking for information on ipod scpecifications and say an article
on "iPod Diagnostic Mode" appear in my search results. I was curious to learn
about this and clicked through on this link:


the web page loaded, then, automatically launched iTunes and took me to the
store even though I'd not clicked on any links on the page itself!!!

This has the potential for damage, IMHO.  Even if not, it is B.S. that just
loading a site, without any input from me can do more than pop up an annoying
browser window, it launches another application!!

See below for how Camino handles the same page, perhaps something along these
lines is necessary, particularly given the recent uncovering of shell
script/viral and worm like things possibly affecting OS X???

P.S.  I don't know enough about browsers to say whether this is related to
JavaScript or Plug-Ins, or what...so forgive my guess to file it there and
please refile or ignore as necessary..T


For comparison:

Relaunched the web page looking at it in Camino.

Unchecked the preference to block pop up windows and when loaded the page the
warning message came up

"An external application must be launched to handle itms: links.

((displayed html link ...... ))

If you were not expecting this request in may be an attempt to exploit a
weakness in that other program. Cancel this request unless you are sure it is
not malicious."

with options buttons to Cancel or Launch Application, and a check box to
"Remember my choice for all links of this type"

Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list