I have stumbled upon a small exploit within the Disqus commenting system that I thought I would recklessly share with you…
Take a look at the comments on this page:
There isn’t one is there?
Now look for a comment on this page:
Now lets look on another page…
This is the “Also on this blog” section of the commenting system, these just link to other pages on the site that have comments on them, to be clear, these are internal pages of my blog BUT… clicking on the “introduction to python classes” post it goes to the proxy version as above – This means we have successfully embedded an external link in an internal link location!
So comments are pretty much hidden on a post and only viewable via the original proxy or in the “Also on this blog” section and all we had to do was leave a comment via a proxy. Simple.
When loading content through a proxy it’s simply a matter of doing a find and replace… on anything you want. Steal social interactions; likes etc. change ad codes, affiliate info, email sign-ups or maybe just steal comments, you name it.
Of course, users could spot they are not on the original domain but with a subtly named domain closely matching the targets, I’m going to bet most wouldn’t notice. For example, say this blog was the target we could register…
https://www.davidnaylor.co/ or maybe https://www.davidnayl0r.co.uk/
So you find a target, insert the link (by leaving a comment via a proxy) and then hijack the session when someone clicks the link.
Disclaimer…We don’t condone this technique or others like it and hope that Disqus fixes this issue!