I'm recycling a comment from another AC in another Scuttlemonkey/**Beatles-Beatles post. This guy's getting worse than Roland Picklepail:
Am I the only person who has noticed the numerous stories that get posted by *--Beatles-Beatles? Am I also the only person who has noticed that the link used in is name is a constantly changing URL (depending on the story) with pointers to various scammy sites? Is it not obvious what he's doing? He's using the awesome PageRank of slashdot do promote his sites based on searches that have the word Beatles in them.
It's a small price to pay for free advertising. Find a story, summarize it in 5 minutes, post to slashdot, and get a pagerank boost that advertisers would pay hundreds (or maybe thousands) for. (Text links on high-ranking sites is big business - just ask oreilly).
Slashdot should at least put a ref=nofollow in the links to submitters (or better yet, only link the submitter's name to his/her user page).
In closing, a quick bit of WHOIS shows that all the sites linked by **B-B are registered to Carl Fogle. Carl, cut this crap out.
About a year ago, I discovered a bug in xanga.com's software that would allow anyone to use any javascript they wanted. Xanga simply made 1 pass through to remove any tags... so all you had to do was write <script> and </script>. I created a proof of concept that would allow me to capture a user's cookies and send them to an offsite PHP script, totally transparent to the victim. You could then simply replace the victim's cookie with yours, and have total control of their account.
So I took my discovery and emailed it to their designated bug report address. 5 months later it was finally fixed. I've found other vunerabilities that would allow anyone to do the same thing, but I don't even want to bother writing a proof of concept and telling them about it. Most companies just don't see XSS as a danger until someone wreaks some havoc.
Slashdot Mirror
plz com 2 the well. tim needs u 2 help him. thnx <3.
I'm recycling a comment from another AC in another Scuttlemonkey/**Beatles-Beatles post. This guy's getting worse than Roland Picklepail: Am I the only person who has noticed the numerous stories that get posted by *--Beatles-Beatles? Am I also the only person who has noticed that the link used in is name is a constantly changing URL (depending on the story) with pointers to various scammy sites? Is it not obvious what he's doing? He's using the awesome PageRank of slashdot do promote his sites based on searches that have the word Beatles in them. It's a small price to pay for free advertising. Find a story, summarize it in 5 minutes, post to slashdot, and get a pagerank boost that advertisers would pay hundreds (or maybe thousands) for. (Text links on high-ranking sites is big business - just ask oreilly). Slashdot should at least put a ref=nofollow in the links to submitters (or better yet, only link the submitter's name to his/her user page). In closing, a quick bit of WHOIS shows that all the sites linked by **B-B are registered to Carl Fogle. Carl, cut this crap out.
About a year ago, I discovered a bug in xanga.com's software that would allow anyone to use any javascript they wanted. Xanga simply made 1 pass through to remove any tags... so all you had to do was write <script> and </script>. I created a proof of concept that would allow me to capture a user's cookies and send them to an offsite PHP script, totally transparent to the victim. You could then simply replace the victim's cookie with yours, and have total control of their account.
So I took my discovery and emailed it to their designated bug report address. 5 months later it was finally fixed. I've found other vunerabilities that would allow anyone to do the same thing, but I don't even want to bother writing a proof of concept and telling them about it. Most companies just don't see XSS as a danger until someone wreaks some havoc.