homepage Welcome to WebmasterWorld Guest from 54.237.235.12
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Someone hot linking to one of my .js files
not just anyone, but a government agency!
Bewenched

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4518648 posted 4:59 am on Nov 13, 2012 (gmt 0)

Ok, so poking through my server logs the other day I came across someone hot linking to one of my javascript files... it's a pretty simple include that I use to bust the site out of frames..... so no biggie right? My first thought... change my include name and be done with it, then I thought ... hey .. I could write "Hello World" on their site... lol.

Well come to find out it's a government defense contractor .. big one too.... what would you do?

 

buckworks

WebmasterWorld Administrator buckworks us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4518648 posted 5:16 am on Nov 13, 2012 (gmt 0)

Have some fun thinking about the possibilities, but take the high road in what you actually do! :)

brotherhood of LAN

WebmasterWorld Administrator brotherhood_of_lan us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4518648 posted 5:52 am on Nov 13, 2012 (gmt 0)

a relevant affiliate link... or if you're feeling risky, re-direct users somewhere nice, like a rick astley video.

On a more serious note, you may want to try contact them and make them aware of the privacy/security issues of what including your JS file entails.

Bewenched

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4518648 posted 6:15 am on Nov 13, 2012 (gmt 0)

Yea, I was kinda blown away that some lazy webmaster there just linked the script like that. Certainly don't want to get someone fired over it, but there's so many things someone could do in this situation.

Never ending popups .... bouncing smiley faces.... heck, you could even write to the page itself with whatever you wanted. Likely, I'll just let it be for now and hope they change their ways...

On the serious side:
It could be a very dangerous situation... you can garner all sorts of information about their users including cookies set by their server.

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4518648 posted 8:36 am on Nov 13, 2012 (gmt 0)

They should get fired.

You could start to collect cookies (i.e. you bypass authentication that way)
[it's dead easy: just load an image off of any URL and make it a get request that contains the cookie]

You could subtly alter a page. E.g. insert a NOT inn a strategic place and oops...

You could even be selective about when and who you do evil things with. E.g. once you know the IP address of let's say the whitehouse you start to do funny things, but not to others so no anti virus vendor never sees your malware.

...

Really: contact the government agency and tell them that have a security breach.

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4518648 posted 10:20 am on Nov 13, 2012 (gmt 0)

I've left out the real killer on why they deserve to get fired on the spot: what if you would be evil enough to sell the domain to let's say Iran ?

BeeDeeDubbleU

WebmasterWorld Senior Member beedeedubbleu us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4518648 posted 2:27 pm on Nov 13, 2012 (gmt 0)

Get advice from Gary McKinnon?

Str82u



 
Msg#: 4518648 posted 3:02 pm on Nov 13, 2012 (gmt 0)

Tell them, you might get a friend out of it.

StoutFiles

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4518648 posted 3:16 pm on Nov 13, 2012 (gmt 0)

I would not do anything malicious, even though they opened the door, it doesn't make it legal for you to mess with their site. Contact them and let them know of their mistake, and let them know you'll be changing the file if they don't respond in X time.

BeeDeeDubbleU

WebmasterWorld Senior Member beedeedubbleu us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4518648 posted 3:32 pm on Nov 13, 2012 (gmt 0)

He would not be messing with their site. He would be messing with his own site.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4518648 posted 4:46 pm on Nov 13, 2012 (gmt 0)

Contact them and let them know of their mistake

"Oh, oops, I didn't realize that www.example.com wasn't associated with the DoD. My bad."

There is a short list of ways to deal with hotlinking images. I hope it doesn't become necessary to evolve a list of similar solutions for js hotlinkers.

That's setting aside the whole question of why on earth do they bother? Is the DoD so pressed for bandwidth and server space that they can't simply swipe your script and host it on their own equipment? It's hardly likely that anyone would ever notice.

daveVk

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4518648 posted 7:21 am on Nov 14, 2012 (gmt 0)

Probably need approval of twenty committees to put something as dangerous as script on server, so easier solution found.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved