You’ve been hacked!

Well, Yahoo! Open Hackday has come and gone, and I’m still avoiding telling my Dave Filo story, so I suppose it won’t hurt to mention a fun pre-hackday hack I saw last August.

When the hackday registration page went up, it looked like this:

Yahoo HackDay 08

Notice the sample fields in grey? The one for the URL reads http://jrandomhacker.com/coolproject. If you go to that URL you will see the following…

Where the page goes
text reads: terry wuz here

No, it wasn’t me…honest!

How I wuz there

When I first started to work at Plaxo, after we launched Plaxo 2.0, in my spare time, I decided to make an Ajax version of the same pages exploiting the IFRAME remote scripting trick. The basic way this works is instead of using XMLHttpRequest (which wasn’t fully supported at the time), you would make asynchronous calls by generating a POST or GET to an invisible IFRAME which would send the data back by making calls to the parent via javascript.

Now since this IFRAME was empty other than a script tag, I loaded the body with a placeholder text during debugging…

terry wuz here

The whole thing worked, they loved it, we launched it.

I forgot to remove the placeholder.

Being hacked

What happens when you leave the browser open for a long period of time is that eventually something goes wonky and you get a javascript error. The request to load the IFRAME is still there, but it’s been paused until someone dismisses the alert box. After that, the IFRAME loads on the top level of the browser instead of the page and the user, logged into Plaxo, sees a plain white page with the text:

terry wuz here

Well you can imagine how many e-mails customer support was getting telling us, “Plaxo, your website has been hacked!”

Doh!

Hacking hackday

So what happened is that an engineer at Plaxo noticed that the URL for Yahoo!’s hackday pointed to a domain name that wasn’t registered and registered it.

What to put on the page? another engineer suggested…

terry wuz here

Congratulations, Yahoo! You’ve been hacked. 😀

Leave a Reply

Your email address will not be published. Required fields are marked *