Friday, September 3, 2010

Hack is Wack is Hacked

Snoop Dogg is putting his rapper muscle behind Symantec and taking hacker on...I think...if I understand the site http://hackiswack.com correctly.

It should be no surprise that the security of the site is going to come under some scrutiny. The Register already has one article about the issues someone found.

I took a few minutes and check the site out myself and found another issue.

If you look in the source code you see a link embedded in the javascript that looks like this...

/index.php?option=com_jfbconnect&task=logout
&return=aW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9OCZJdGVtaWQ9Mg==
 
The interesting part is this: 
aW5kZXgucGhwP29wdGlvbj1jb21fY29udGVudCZ2aWV3PWFydGljbGUmaWQ9OCZJdGVtaWQ9Mg==
 
If we decode this base64 encoded string, we get this: 
index.php?option=com_content&view=article&id=8&Itemid=2
 
So, lets encode our own string and create a new URL that looks like this: 
http://www.hackiswack.com/index.php?option=com_jfbconnect&task=logout&return=aHR0cDovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PW9IZzVTSllSSEEw



Yeah. That would be yet another RickRoll...