Hacker's Prank Makes Websites Do Harlem Shake
A fun bit of injected JavaScript shows how easy it can be to make websites misbehave.
Some websites are more vulnerable than others to hacking. Some are so weak, you can make them do the Harlem Shake.
Late last week, British programmer Jamie Hankins loaded a bit of JavaScript into his own website's metadata, specifically the TXT fields of the Domain Name Service (DNS) records.
The result? When you type in "jamiehankins.co.uk" into the search fields of certain websites, the text starts shaking, music starts blaring and the entire page turns into a dance party, complete with a Rick Astley video.
MORE: 12 Computer-Security Mistakes You're Probably Making
Hankins' prank was first noticed on the Who.is domain lookup page, but the site was later fixed. However, as of Monday afternoon EDT, the prank still worked on a site called MxToolbox.com.
"I regret nothing," Hankins said via Twitter on Friday. "I nickname it the XSS-Shake."
Jokes aside, cross-site scripting (XSS) is a serious matter. Malicious hackers often use it to inject unauthorized codes into other people's websites, causing the targeted sites to steal user passwords or load malware onto visiting Web browsers.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
Proper website security should result in sites being immune to XSS, and as a result, some malicious hackers have lately been using it in social media. Facebook users have been tricked into using it on themselves, and Twitter client TweetDeck was recently shown to be vulnerable to malicious tweets.
On the /r/programming Reddit thread on Friday, user Rhomboid succinctly explained what was going on with Jamie Hankins' benign XSS attack.
"The who.is website is displaying the contents of this record for the jamiehankins.co.uk domain without properly sanitizing it for HTML, opening up a cross-site-scripting attack," Rhomboid said. "The registrant of the domain put a in two separate TXT records, and the lack of sanitation causes them to be active, loading remote scripts. Once you can run a script, you have complete control and do anything you want, including loading further scripts, stealing cookie values, etc."
For posterity's sake, there are a few YouTube videos that demonstrate the results of Hankins' prank.
- Best Mac Antivirus Software 2014
- 10 Facebook Privacy and Security Settings to Lock Down
- 7 Scariest Security Threats Headed Your Way
Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.