0dmipw
Last Updated: February 25, 2016
·
3.133K
· blockjon
Jackjon

How I harmlessly pwn'ed a competitor with Javascript

Early in my career, I was looking through our Apache logs when I noticed something I never thought I’d see: HTTP GET requests for the .js file I wrote to power our company’s amortization calculator... but with an HTTP REFERER of our competitor’s website domain.

I confirmed that yes, they were script src’ing to our js file.

That evening, we decided to launch a new version of our calculator using a new Javascript file. I wondered what we should do with that old Javascript file which we were not using anymore. hm…… :)

Starting that evening, requests for our old js file caused an alert box to appear which said “You are now being redirected to our new site and calculator” and it redirected to our site.

I wish I could have been a fly on the wall at our competitor’s site to see the bewildered look on their faces. I almost feel bad for what must have been the junior developer who included our file.

Say Thanks
Respond

10 Responses
Add your response

9036
0  kgzflqgis lpmbxrafbf1kyixnoadbxrqwff 83qjcaaw8kynsnttqflt93tonh1pxqhvtita2v

Beautiful :) Love it when that happens. Must be a pretty lame competitor if the only way they can compete is by essentially stealing what you've done! One word to them - KARMA!! :) Peace.

over 1 year ago ·
9042

This case highlights it being wise to poke around your Apache logs regularly, rather than strictly relying on Google Analytics.

over 1 year ago ·
9073
Avatar ika

Well played!

over 1 year ago ·
9086
98a2a8a3bdc203ab221d3f5534d0b03f

I did something very similar once. I developed a Javascript "API" for a client, who then refused to pay up saying that the project has been canned. I later realized that he is still using my API, so I just put some code which freezes up the browser. The client had to explain to all his clients why their dashboards stopped working and hanging their browsers (it was a B2B business).

A few hours later, I got a very angry call from him. I told him I was just doing some tests in javascript attacks, and I was not expecting him to still use my API after he decided that he doesn't need it. He didn't say a word and hung up the call.

over 1 year ago ·
9091

Blood on the wall in the "IT apartment"

over 1 year ago ·
9142
4693d7cfa88635d430c0de9a92f8dd84

Damn, that was awesome. Hi-five over wi-fi!

over 1 year ago ·
9181
617022 551395294890791 592328078 o

awesome !!!

over 1 year ago ·
9237
Cb66add9628193a749051b0511a33594

One day google with do this with their javascript CDN. Whole internet get redirected to google plus.

over 1 year ago ·
9290
9ea742cae8e2d5b6239783d920dfcc67

Classic!

over 1 year ago ·
9352
70d9b050bfe39350c234d710fadfcd39

@hostonnet: That's not in their interest: web developers would stop using the CDN and they would not be able to track users anymore.

over 1 year ago ·