Welcome to weblogs.com.pk Sign in | Join | Help

Adnan Siddiqi

Lets get technical

News



  • View Adnan Siddiqi's profile on LinkedIn
How perl.com became porn.com

Few days back Official Perl website redirected users to porn.com which later got fixed. Finally guys at O’Reilly found out that it all happened due to remote Javascripting. NAT says:

It only took three things to turn perl.com into porn.com: (1) the advertiser's domain lapsed, (2) the porn company bought it, (3) they replaced the Javascript that we were loading with a small chunk that redirected to the porn site (note that nothing on or about perl.com changed). Our first concern was that we'd been hacked and "run this remote Javascript" inserted from our servers without our knowledge, but that hadn't happened—our change records and RT logs show we've had that Javascript and advertiser since May 2006.

 

Wicked!, isn't it?

Guys at AJAXIAN have given some nice suggestions to avoid such issue like putting things at back end specially business logic.

Update:  Sorry for the update. I was just searching related new and found Nat's reply on this blog.

 

Hi! It's a variation on simple domain lapsing, but the important thing here is that perl.com never lapsed. A whois search would have shown that perl.com was still owned by Tom Christiansen and pointing to O'Reilly's servers. But when people went to perl.com, they ended up on a porn site. We managed our domains perfectly and still got bitten by a lapsed domain. The scope to be bitten by lapses that aren't your own is what's different here

 

here it raises a question, is there any possibility to introduce a javascript based utility for WHOIS who just check owner of every external domain first before allowing it to get executed? I think it should not be an issue in presence of AJAX and JSON. AJAX to execute server side WHOIS utility and JSON to return parsed data about lapsed domain.  The host site(e.g: Perl.com) would have to maintain a database of  site owners who are advertising their stuff on sites like Perl.com. Once find difference, it either abort the script or stop it get executed anyway. 

Posted: Monday, January 21, 2008 11:27 PM by kadnan

Comments

No Comments

Anonymous comments are disabled