XSS History Hack == ‘legit’ Business Plan??

Interesting new way for an attacker to monetize based on XSS Browser History Attacks. (Jeremiah’s hack with java or RSnake’s hack without java).

This holiday season might be the right time to have that little talk with mom and dad about practicing ‘safe-browsing’

Sounds like contextual advertising based upon reviewing cookies stolen from your browser… well- just read this snippet from their Terms and Conditions page
(creative spelling and grammatical goodness preserved for all intents and purposes)

“2.d. Wozad Matching Ads are choosed as a result of your each visitor browsing history, you are the sole responsable for informing and let your visitors agree that their browsing history will be analyzed for targeting purposes. You are also the sole responsable about any privacy-issue that may arise between you, your site, Wozad and/or Wozad Advertisers, and a third party (visitor).”

Before I give you the site, let me remind you that you really need to be running FireFox with something like NoScript <http://noscript.net&gt; and it better be on and blocking….

www <dot> wozad <dot> com

Through a hack, maybe you don’t need referral networks to glue together contextual based ads.  Maybe you don’t really need privacy… and they don’t need ethics…

I saw this on one of my RSS feeds, but I had to offer this up if you hadn’t seen it.  The post was only the URL.  Have fun, safe browsing!


One Response to “XSS History Hack == ‘legit’ Business Plan??”

  1. Rafal Los Says:

    Trey – thanks, I hadn’t seen this one. I did a write-up on some of these shady practices (but related to those “smilies” that you can download to decorate email/IM) a while back and although the company I wrote about apparently was capable of using proper Engrish.
    I mention this because these sorts of practices are often hidden behind legitimate business practices (or so they would have you believe) and veiled beyond third-party affiliations, and foreign lands with strained if any extradition treaties.
    Not surprisingly, all of these practices that I’ve read about, and you posted about here, center around advertising (malware-tising, etc) and making money around people’s clicks.

    Thanks again, fascinating. Maybe we could convince anti-virus/personal-firewall vendors to black-list these companies? Food for thought.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: