UK registrar 123-reg.co.uk has had a fair few customer relations issues in the past. Today I was digging into an issue for a client site and found some interesting things related to the way 123 Reg handles parked pages.
The problem was that the clients site didn’t open when you missed the www out of the domain. For example visiting this link was OK but this one takes you to a parked page (this site isn’t my client, just an example).
A quick check on how many sites 123 Reg has parked and indexed in Google reveals about half a million so there are plenty of trusted domains to have fun with.
123 Reg has left a nice XSS hole in their parked pages allowing any users to create an unlimited number of links on spam sites like this one and even better this one.
Basically every single one of the half million domains parked with 123 Reg can be injected with links to whatever sites a spammer wants.
The benefits of having an affiliate program are well documented. Savvy ecommerce site owners can analyse the marketing strategies of successful affiliates and copy them for greater revenue. Merchants can also hide behind fake affiliate accounts while using blackhat and email spam to promote their products.
Having an API is just as good as having an affiliate program if you don’t operate a merchant site. BlogStorm uses the Yahoo API to track links and thousands of other sites create applications far cooler than those offered by the parent company.
If Yahoo, Google or any other company decided that an application running of their API was becoming too popular they could code a copycat version within weeks and gain more traction than the original quite easily.
Alexa recently added a bunch of new features to the Alexa charts after Alexaholic started to gain more and more users. Eventually Alexa blocked Alexaholic resulting in a PR disaster.
Today we see that Digg has a picture section, courtesy of a clever programmer and the Digg API. Digg has promised a picture section by October so there is plenty of time for digpicz.com to gain traction in the meantime. No doubt Digg programmers will be keen to see their users reaction to digpicz.com and have over a month to analyse feedback and improve their picture section accordingly.
The Digg management team has more awareness of reputation management than most web companies so they probably won’t try to shut down the digpicz.com but it must be reassuring for them to know they could if they had to.
Most people will have heard of XSS (Cross Site Scripting) attacks before. Many of you will understand the basics but may not have seen a real world aplication.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
Today Jurgen Schmidt of Heise Security talks about how some of these attacks work so that we can be more prepared to deal with the worst.
In the example Jurgen has two different links, both opening the same login form. The malicious link opens the form using some JavaScript code that attaches an onSubmit event to the form. Once you enter your password it can then be transmitted to the hacker.
Security isn’t going to become a regular feature on BlogStorm but the ingenuity and simplicity of the script combined with the potential threat prompted me to post about it.
