Skip to main content

Hacker's Prank Makes Websites Do Harlem Shake

Credit: Gracie Films/Twentieth Century Fox Television

(Image credit: Gracie Films/Twentieth Century Fox Television)

Some websites are more vulnerable than others to hacking. Some are so weak, you can make them do the Harlem Shake.

Late last week, British programmer Jamie Hankins loaded a bit of JavaScript into his own website's metadata, specifically the TXT fields of the Domain Name Service (DNS) records.

The result? When you type in "jamiehankins.co.uk" into the search fields of certain websites, the text starts shaking, music starts blaring and the entire page turns into a dance party, complete with a Rick Astley video.

MORE: 12 Computer-Security Mistakes You're Probably Making

Hankins' prank was first noticed on the Who.is domain lookup page, but the site was later fixed. However, as of Monday afternoon EDT, the prank still worked on a site called MxToolbox.com.

"I regret nothing," Hankins said via Twitter on Friday. "I nickname it the XSS-Shake."

Jokes aside, cross-site scripting (XSS) is a serious matter. Malicious hackers often use it to inject unauthorized codes into other people's websites, causing the targeted sites to steal user passwords or load malware onto visiting Web browsers.

Proper website security should result in sites being immune to XSS, and as a result, some malicious hackers have lately been using it in social media. Facebook users have been tricked into using it on themselves, and Twitter client TweetDeck was recently shown to be vulnerable to malicious tweets.

On the /r/programming Reddit thread on Friday, user Rhomboid succinctly explained what was going on with Jamie Hankins' benign XSS attack.

"The who.is website is displaying the contents of this record for the jamiehankins.co.uk domain without properly sanitizing it for HTML, opening up a cross-site-scripting attack," Rhomboid said. "The registrant of the domain put a in two separate TXT records, and the lack of sanitation causes them to be active, loading remote scripts. Once you can run a script, you have complete control and do anything you want, including loading further scripts, stealing cookie values, etc."

For posterity's sake, there are a few YouTube videos that demonstrate the results of Hankins' prank.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.