.comment-link {margin-left:.6em;}


A Periodic (P)review Of Leaping Forward

By: Johan

Friday, July 22

When A Big Company Cocks Up BIG Time

Someone over at Digital Point Forums found an unknown referal crawling their site. Upon further investigation it turned out to be Commission Junction. Which is only a bit strange since they aren't known for their crawling and this member didn't even run affiliate links from CJ on his site.

When I had a look at the refering host and with the knowledgable eye of another member it turned out any man and his dog has public access to CJ's template repository management system.

For instance if you log in as a Publisher into your account, you will see text snippets like "Review new transactions." You and I, should you wish (not recommended!) can change that by finding its key which is something like adv.act.index.rvw_new_action. (I went as far as checking out the edit facility but didn't actually try and modify anything so it might be the case that there is some last minute authentication or approval process before such changes go live. It was suggested it might be a non-production server we're looking at as well but still, you wouldn't want to give away clues to your up and coming features would you?) The templates of the site, the e-mail and other sections of their published network of affiliate sections can all be accessed with links to modify it.

I won't post any live links since I don't want anyone with potentially malicious intent to hack CJ but I have to say, I'm pretty shocked this is possible.

CJ have been informed and I expect this hole to be closed in no time. The hole was first reported today, July 22nd around 10am GMT and at the time of writing (8:50pm) it's still wide open.

A DP member summed it up as a 3 fold cock-up. 1. this server is publicly accessible. 2. they advertised its existence by crawling the web and leaving their post cards signed in full and 3. no authentication is necessary at all to do anything.

It would have been interesting to see how long alterations would have gone unnoticed but we decided the best thing to do was to let them know their booboo. Could have been real ugly for them if we happened to be hackers!