Comment Spam 2.0

by Craig Addyman
Bronco - Digital Marketing Agency

I have stumbled upon a small exploit within the Disqus commenting system that I thought I would recklessly share with you…

Take a look at the comments on this page:
http:/www.digipy.co.uk/introduction-to-python-classes/

There isn’t one is there?

Now look for a comment on this page:
http://l33t-h4x0r.appspot.com/www.craigaddyman.com/introduction-to-python-classes/

You see it?
disqus hack

Now lets look on another page…

(http://www.digipy.co.uk/how-to-write-a-rank-checker-in-python/)

disqus exploit

This is the “Also on this blog” section of the commenting system, these just link to other pages on the site that have comments on them, to be clear, these are internal pages of my blog BUT… clicking on the “introduction to python classes” post it goes to the proxy version as above – This means we have successfully embedded an external link in an internal link location!

So comments are pretty much hidden on a post and only viewable via the original proxy or in the “Also on this blog” section and all we had to do was leave a comment via a proxy. Simple.

When loading content through a proxy it’s simply a matter of doing a find and replace… on anything you want. Steal social interactions; likes etc. change ad codes, affiliate info, email sign-ups or maybe just steal comments, you name it.

Of course, users could spot they are not on the original domain but with a subtly named domain closely matching the targets, I’m going to bet most wouldn’t notice. For example, say this blog was the target we could register…
https://www.davidnaylor.co/ or maybe https://www.davidnayl0r.co.uk/

So you find a target, insert the link (by leaving a comment via a proxy) and then hijack the session when someone clicks the link.

Disclaimer…We don’t condone this technique or others like it and hope that Disqus fixes this issue!

Bronco - Digital Marketing Agency
Making your inbox more interesting
Looking to keep up to date, or find out those things we can’t mention on the blog? Then sign up to our semi-regular newsletter. Don’t worry, we won’t spam you.

Comments are closed.

Get in Touch

Things are better when they’re made simpler. That’s why the David Naylor blog is now just that; a blog. No sales pages, no contact form - just interesting* info about SEO.

If you’d like to find out more about the Digital Marketing services we do provide then head over to Bronco (our main company website) to get in touch.

Get in Touch Today * Interestingness not guaranteed
Part of the Bronco family