Jim and James over at HotOrNot.com just made some major changes…
Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)
We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!
The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.
After giving myself a two minute self tour, this is what I discovered and was able to do:
The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.
The “ENTER YOUR CSS STYLE HERE” is misleading. It should read: “Enter whatever you want. The only thing we have half-ass filtered is Script tags”. So, I was able to…
1. Auto-redirect all visitors to my profile to the url of my choosing.
2. Render the entire page blank.
3. Replace the entire profile with an image of the profile which was linked to the url of my choosing.
etc, etc, etc…
What they can expect if they don’t secure that mess up:
Profiles automatically sending people over to porn sites when clicked, drive-by adware installs, on-site spoof login pages to phish account info, scat and other lovely stuff being thrown into the faces of their users, etc…
The profile page itself isn’t where it stops though. The comments are set so that a person has to approve them before getting posted. Fair enough. Too bad the page you approve them from parses any code that’s in the pending comments. So, everything mentioned above can easily be done on that comment approval page also.
Just for shits and giggles, I hooked up my profile with a little word of warning to the guys over there. If they delete that profile or remove the code that gives it the desired effect, I’ll post a copy of the page here.
Update (5pm CST):
Hot or Not has temporarily disabled their anything-goes “CSS” input. You can still put code in there - it’s just not going live. So, everyone currently has a default profile style with no custom backgrounds and whatnot. I’ll update this entry once things are live again to let everyone know if their patch job is a decent one.
Oh yeah, here’s how my profile looked before they disabled everything:
Not So Hot Security.
Additional coverage:
Mashable.com: Hot Or Not Users Get New Found Freedom
Related Articles
21 brave souls have commented on this post
HotOrNot sucks anyhow. on with the scat!!!!!!!!!!!!!!!!!!
i thought that website was for fun… people actually communicate on it now?
Re: Michele
They’ve been having a “hook up” area for years now called “Meet Me”. ;-)
LoL thats awesome! Time to exploit my HoN Account!!
As pathetic as it may sound but I met a couple of my exes off Hot or Not hahaha! Thanks for the tips LoLo!!
Seems like any idiot can start a social site
hi, seen as your pretty hot on the hot or not security, or lack there of, maybe you can shed some light on a hot or not problem I’m having:
basically i want my profile deleted completely. i removed all pictures etc but there’s no account cancellation option to be found. the FAQ’s don’t say anything on this either. i thought if i had no pic or info and didn’t log on for a really long time it would be automatically deleted. but after months i got an email (meet me request) and logging in was no problem.
i don’t use hot or not anymore, i don’t care that my profile is on display as there’s nothing to see. its just really annoying that i can’t delete the account if i want to.
well i said my piece if ya have any ideas on it, that’d be great (i wont be surprised if its really obvious like a big red delete button)
cheers, Ross.
hey, can you delete your account at hot or not?
I’ve had the same problem as Ross. Unless I’m blind I have not been able to find anywhere you can delete your entire profile. If anyone knows how, please let us know!!!
Thanks
yes, can you delete you hotornot account?? ive been trying for weeks. i need help!!!! Thanks
where does everybody get diffrent backgrounds for their super profiles? thanks..
yesssss how do you delete your profile???????
I’ve met some really nice people on Hot or Not, more than other sites. However, maybe I haven’t had any other problems because I don’t know HOW to set up backgrounds etc LOL
I hate this Website..I wish I never even added a pic, anyways I cant find how you delete anything and I wont off. All I recieve is cheezy lines and guys wanting to meet me..its pathetic!
SO….DO ANYONE KNOW HOW TO DELETE YOUR PROFILE ON HOT OR NOT BEC IT SUCKS!!!!!
I have deleted my photos and modified my profile to say “delete my account delete my ENTIRE ACCOUNT!”, so the profile wasn’t approved by the moderators to be shown in “meet me” anymore. Unfortunately, that’s the best I can do.
However, I want no trace of my e-mail address to exist anymore. I don’t want to be able to log-in with the username. I hate shitty sites like that–facebook gave me the same problem. There should be a mandatory warning in big letters before you sign up for sites that are going to pull this shit.
maybe someone should bring them to court, then they will create a DELETE-button on their website.
this site really sucks, two drunk idiots trying to make money and harrassing people…..
YaH someone should take them to court for them to create a account delete bottom
YOU GUYS STILL TRYING TO FIGURE OUT HOW YOU CAN DELETE THIS SHIT!!??? THIS THE PERSON WHO DELETED MY ACCOUNT hotornot411@yahoo.com EMAIL HER. SUBJECT IN CAPITAL LETTERS “DELETE MY ENTIRE ACCOUNT” I GOT AN EMAIL FROM jimandjames@hotornot.com AND REPLIED ON THE SUBLECT “DELETE…” THEN THAT GIRL EMAILED ME SAYING THAT MY ACCOUNT IS ALREADY REMOVED. THEN I TRIED LOGGING IN AND I COULDN’T SO I GUESS THEY DID IT!!!!!! GOOD LUCK GUYS…
idiot maybe the bitch changes the password…lollll
Damn, too bad I’m retired ;-)
But seriously, to all those who think Lolo is bullshitting you, I’m a complete idiot compared to him and I could cause some serious trouble on that site with the new additions they threw in. I give that disaster a week from today before headlines are made…
Sup Lolo! I might be on the DL but I’m always checkin shit out ;-) Be good!
Nick
HoN considers their subscribers domb sheep at best. They don’t want you delete your account for several reasons.
1 - to boost apparent user numbers.
2 - to keep your usage data, which is worth $$$.
3 - because they consider you a bacteria to do with as they wish. You got suckered in, and you’re not leaving.
Remember to hit their support address with a diplomatically worded email containign the term “class action lawsuit” and “infringement of privacy”. That may get their attention.
Report back here if you actually get your account deleted.
And lastly, blacklist the damn site, and rate it on WOT as untrustworthy in regards to privacy.
Speak Your Mind