| 5:16 am on Nov 13, 2012 (gmt 0)|
Have some fun thinking about the possibilities, but take the high road in what you actually do! :)
|brotherhood of LAN|
| 5:52 am on Nov 13, 2012 (gmt 0)|
a relevant affiliate link... or if you're feeling risky, re-direct users somewhere nice, like a rick astley video.
On a more serious note, you may want to try contact them and make them aware of the privacy/security issues of what including your JS file entails.
| 6:15 am on Nov 13, 2012 (gmt 0)|
Yea, I was kinda blown away that some lazy webmaster there just linked the script like that. Certainly don't want to get someone fired over it, but there's so many things someone could do in this situation.
Never ending popups .... bouncing smiley faces.... heck, you could even write to the page itself with whatever you wanted. Likely, I'll just let it be for now and hope they change their ways...
On the serious side:
It could be a very dangerous situation... you can garner all sorts of information about their users including cookies set by their server.
| 8:36 am on Nov 13, 2012 (gmt 0)|
They should get fired.
You could start to collect cookies (i.e. you bypass authentication that way)
[it's dead easy: just load an image off of any URL and make it a get request that contains the cookie]
You could subtly alter a page. E.g. insert a NOT inn a strategic place and oops...
You could even be selective about when and who you do evil things with. E.g. once you know the IP address of let's say the whitehouse you start to do funny things, but not to others so no anti virus vendor never sees your malware.
Really: contact the government agency and tell them that have a security breach.
| 10:20 am on Nov 13, 2012 (gmt 0)|
I've left out the real killer on why they deserve to get fired on the spot: what if you would be evil enough to sell the domain to let's say Iran ?
| 2:27 pm on Nov 13, 2012 (gmt 0)|
Get advice from Gary McKinnon?
| 3:02 pm on Nov 13, 2012 (gmt 0)|
Tell them, you might get a friend out of it.
| 3:16 pm on Nov 13, 2012 (gmt 0)|
I would not do anything malicious, even though they opened the door, it doesn't make it legal for you to mess with their site. Contact them and let them know of their mistake, and let them know you'll be changing the file if they don't respond in X time.
| 3:32 pm on Nov 13, 2012 (gmt 0)|
He would not be messing with their site. He would be messing with his own site.
| 4:46 pm on Nov 13, 2012 (gmt 0)|
|Contact them and let them know of their mistake |
"Oh, oops, I didn't realize that www.example.com wasn't associated with the DoD. My bad."
There is a short list of ways to deal with hotlinking images. I hope it doesn't become necessary to evolve a list of similar solutions for js hotlinkers.
That's setting aside the whole question of why on earth do they bother? Is the DoD so pressed for bandwidth and server space that they can't simply swipe your script and host it on their own equipment? It's hardly likely that anyone would ever notice.
| 7:21 am on Nov 14, 2012 (gmt 0)|
Probably need approval of twenty committees to put something as dangerous as script on server, so easier solution found.