Jim and James over at HotOrNot.com just made some major changes…
Just wanted to drop you a note to let you know that we’ve made HOTorNOT free! You no longer need to buy a star membership in order to write your double matches ;)
We’ve made a lot of changes to the site recently and much more is in the works. So if you haven’t been on in a while, log back in and check it out!
The free as in beer thing was inevitable with all the social networking sites now. The only surprise was that it didn’t happen sooner. The “lot of changes” line piqued my interest enough to log in to see what was up though. That’s where I found the huge surprise: a site finally managed to be less secure than MySpace. Seriously, it’s that bad. The new Hot or Not is wide open to massive spam campaigns, XSS worms, and all sorts of tomfoolery. It is nothing short of being the Script Kiddies and Spammers Paradise of the moment.
After giving myself a two minute self tour, this is what I discovered and was able to do:
The “lot of change” that opened the flood gates is their new “Super Profiles”. There’s nothing really super about them. They are just profile pages with some extremely basic social networking features. Just like in MySpace Land, the user customization is where it gets ugly.
The “ENTER YOUR CSS STYLE HERE” is misleading. It should read: “Enter whatever you want. The only thing we have half-ass filtered is Script tags”. So, I was able to…
1. Auto-redirect all visitors to my profile to the url of my choosing.
2. Render the entire page blank.
3. Replace the entire profile with an image of the profile which was linked to the url of my choosing.
etc, etc, etc…
What they can expect if they don’t secure that mess up:
Profiles automatically sending people over to porn sites when clicked, drive-by adware installs, on-site spoof login pages to phish account info, scat and other lovely stuff being thrown into the faces of their users, etc…
The profile page itself isn’t where it stops though. The comments are set so that a person has to approve them before getting posted. Fair enough. Too bad the page you approve them from parses any code that’s in the pending comments. So, everything mentioned above can easily be done on that comment approval page also.
Just for shits and giggles, I hooked up my profile with a little word of warning to the guys over there. If they delete that profile or remove the code that gives it the desired effect, I’ll post a copy of the page here.
Update (5pm CST):
Hot or Not has temporarily disabled their anything-goes “CSS” input. You can still put code in there – it’s just not going live. So, everyone currently has a default profile style with no custom backgrounds and whatnot. I’ll update this entry once things are live again to let everyone know if their patch job is a decent one.
Oh yeah, here’s how my profile looked before they disabled everything:
Not So Hot Security.
Mashable.com: Hot Or Not Users Get New Found Freedom