UK registrar 123-reg.co.uk has had a fair few customer relations issues in the past. Today I was digging into an issue for a client site and found some interesting things related to the way 123 Reg handles parked pages.
The problem was that the clients site didn’t open when you missed the www out of the domain. For example visiting this link was OK but this one takes you to a parked page (this site isn’t my client, just an example).
A quick check on how many sites 123 Reg has parked and indexed in Google reveals about half a million so there are plenty of trusted domains to have fun with.
123 Reg has left a nice XSS hole in their parked pages allowing any users to create an unlimited number of links on spam sites like this one and even better this one.
Basically every single one of the half million domains parked with 123 Reg can be injected with links to whatever sites a spammer wants.
Patrick Altoft is Director of Search at Leeds based digital & SEO agency Branded3. Patrick also runs Blogstorm.You can get our blog posts delivered for free by email every day - simply add your email address to the box below or alternatively grab the RSS feed.
{ 4 comments… read them below or add one }
Someone needs to automate this
Fixed.
lol @ using Matt Cutts domain
Never mind, McAfee ScanAlert (HackerSafe) reckon that XSS vulnerabilities are not dangerous so there’s no need to fail a site if it has XSS.
Leave a Comment (registration is optional)