Think evil, be evil. Simply Google.

Actually a stupid mistake coming from Avira antivirus product.

You know guys,  maybe you should block every html code next time. It would be easier than banning 0px iframes. I’m moving back to nod32 antivirus.

In 2009 I started to invest some time in adult affiliate programs and my needs for traffic increased day after day. After few days of researching I found some traffic sources to test my ideas, but one of the most important websites used last year by me and my friends was Tagged.com.

When everything started,  javascript and iframes in “left wall” and “right wall” boxes were permitted. At that time using  this method we were able to redirect about 400 users in about 5 minutes (tested). Anyway, now all active content is banned or limited but this is not the essence of the story.

HOW WE MADE 400 PEOPLE TO VISIT OUR PROFILES IN 5 MINUTES

Untill we started to play with tagged system many things were permitted and the most loved tool offered by this social network for us was the “Meet me” button. At that time, for us it was something simple like “go to Meet me page, press YES one time, take a piece of paper and use it to keep Enter button pressed untill you reach the limit”. In this way we redirected in a matter of minutes hundreds of visitors to our pages and money came in a very easy way for us at that time.

Of course this “Meet me” glitch was patched. Or should I tell “was patched just for noobs”. The best solution in the minds of the developers was to use javascript against the evil Enter button. So now the code looks like this:

<input type=”button” id=”yes” name=”Yes” value=”Yes” onclick=”this.blur(); return game.interest(true);”>

Now really. This looks like a good antispam solution? Seems like not.

HOW TO SCREW THE SHITTIEST ANTISPAM PROTECTION EVER

Open Firefox (Firefox is the best option in this case – do not use Google Chrome).

Go to Tagged.com and log in.

Go to Meet me page.

Open Firebug.

Click the inspect button from Firebug and select YES button from Tagged.

Now you will have in the front of the eyes the code from above.

Just delete this.blur(); from the firebug html console and click any place of the Meet me page.

Now keep pressing Enter button and voila! You can send hundreds of “Meet me” requests  in a matter of seconds and your profile page will be visited by thousands of people. This method combined with a profile full with crappy links hidden under some pics or videos could generate some good or shitty traffic, depending of your niche.

(SAD) EPILOGUE

For about 2 or 3 weeks Tagged system is banning profiles that makes too many meet me requests in a short time. Now it’s time to say “bye bye Tagged, here we come ‘other social networks’”.

P.S.  - unul dintre prietenii cu care faceam asta si-a ridicat considerabil site-ul in trafic.ro folosindu-se de tagged si redirectionari

Sometimes making fun of people using xss tricks can be very entertaining. Today I will talk about xlovecam.com, a belgian adult videochat website with huge amount of traffic from France.

Our purpose is to make models believe that their accounts are suspended. For them this means a lot of money and time wasted.

Some real examples:
http://img339.imageshack.us/img339/5881/buahahahaq.png
http://img706.imageshack.us/img706/2575/hihihihiz.png
http://img227.imageshack.us/img227/2604/pwnedd.png
http://img534.imageshack.us/img534/2424/95603479.png

How to do it:

Go to http://www.xlovecam.com and register a new account.
Log in using the new account.
Open http://iphone.xlovecam.com in another browser instance and login there too.
Go in a girl room from the iphone page.
Search the same girl on xlovecam.com front page (check page footer for the entire list of online models) and go in her room to see her reaction after everything is completed.

Now from the iphone page we will use basic html and some javascript to pwn that chatroom. Iphone chat interface is vulnerable to cross site scripting so it will be easy.
First of all I need to use a different font to catch the model attention because in normal circumstances all users type with the same font. So I just type this in her iphone chat room and she will see a text like the one from my screencaps.

How to make this prank more convincing? We use a little code from RSnake xss cheatsheet to freeze her room. No one including the model will be able to write anything in the chat. This little piece of code affects many flash based chatrooms so you can test it in another circumstances too. Btw, you can see on that iphone page what she will try to type, but in normal chat nothing will appear.

So the final version of the code looks like this http://pastebin.com/QtiWnS1s. With a simple copy/paste you can make fun of them when you are bored. Of course you could use that iphone subdomain to redirect visitors from the room (if they are using iphone interface) or steal their cookies but most of the users use the normal site interface not the iphone subdomain.

Other tricks:

In the rooms type html tags like <i><u><b> but don’t close them. You will see by yourself what’s the catch.

It’s funny to see this type of reaction

<jim shoe> i’m here with my 15 yr old son. interested?
<Corinne29> Hello
<Corinne29> This is Corinne Vartuver from FBI
<Corinne29> Please provide me your name and home address asap
*** jim shoe is now blocking you.
*** jim shoe has gone offline.

Clips source (comments section)

http://westwood.ro/c1pr1an/pass.txt

L.E. – hackeri -> http://www.laguna.evolink.ro/

http://wine-and-dine.telegraph.co.uk/site/index.php

http://shortbreaks.telegraph.co.uk/

Source: http://rstcenter.com/forum/21897-telegraph-co-uk-hacked.rst

Author: fLr^ R.N.S – Romanian National Security

http://unu123456.baywords.com/2009/12/18/emea-symantec-hacked-again/

Another beautiful intrusion http://tinkode.baywords.com/index.php/2009/12/kaspersky-thailand-full-access/

http://tinkode.baywords.com/index.php/2009/12/nasa-full-dislocure-again/