Kiwicon Hacks Up Media Coverage
August 28, 2007 9:55 PM   Subscribe

The organisers of New Zealand hacking convention Kiwicon have created some PR the only way they know how, l33t h4x0ring. Using a XSS bug in NZ's largest newspaper the NZ Herald they created a fake URL that injected javascript to rewrite an article there. The URL got passed around and soon ended up with genuine media coverage in NZ Herald's biggest competitor Stuff. An earlier effort on the NZ Computerworld site was quickly fixed and got no media coverage.
posted by sycophant (14 comments total) 1 user marked this as a favorite
Disclosure: I'm not involved in Kiwicon in anyway, but I am quoted in the Stuff article about the NZ Herald 'hack'.
posted by sycophant at 9:55 PM on August 28, 2007

Isn't a kiwi was just a h4x0red wiki?
posted by UbuRoivas at 10:00 PM on August 28, 2007

I don't get it - so the javascript rewrote the article to make it seem like it was written for a primary school project, based on futurist thought from a decade ago? Admittedly, it's a pretty funny parody, if a little subtle. I particularly love this bit:

There is already a surfer who has designed a surfboard with internet access, but Mr Cerf's hot tip was an internet enabled remote control, which would allow people to control their home entertainment from anywhere in the world.

Bwahahahahahaha! Why the fuck would anybody on the other side of the world want to change their TV channel back home? To deter thieves? Bwahahahahaha!

Oh, hang on - The spoof doesn't work in Internet Explorer 7

So that was the real article?!?!?

posted by UbuRoivas at 10:11 PM on August 28, 2007

This Tiny URL seems to work in IE and Firefox. But the Herald has a lot of ads on it, and the XSS doesn't load until the end, so it can take a while for the article to 'change'.
posted by sycophant at 10:15 PM on August 28, 2007

The biggest competitor to NZ's largest newspaper is called "Stuff"???
posted by smackfu at 10:28 PM on August 28, 2007

Yeh, as in "stuff happens".

Or in the case of New Zealand, stuff-all happens.

And no way am I clicking on that tiny url link. It will probably install some kinda javascript thingy to rewrite all my MeFi comments in lolcat.
posted by UbuRoivas at 10:36 PM on August 28, 2007

posted by UbuRoivas at 10:37 PM on August 28, 2007 [2 favorites]

They apparently pulled the article, so the link no longer works. For the curious, here is the javascript (including the new article text).
posted by you at 10:37 PM on August 28, 2007

"have created some PR the only way they know how"

Do you mean "as only they know how" (as in "only they have the skills to pull off something like this")? Or is hacking really the only way they know how to create PR? If so, those guys ought to get out more often.
posted by pracowity at 11:30 PM on August 28, 2007

I realize that it was presented in this simplified manner in order to keep your FPP on-topic and succinct, but its probably a bit of a stretch to consider XSS l33t anything.
posted by ChasFile at 11:56 PM on August 28, 2007

No, the l33te5t think about it is that they went out of their way to identify these holes in media sites so they could do this.
posted by sycophant at 12:28 AM on August 29, 2007

Looks like The Herald has wised up and have changed things to redirect any URLs trying to exploit this hole straight to the main page.
posted by sycophant at 12:32 AM on August 29, 2007

What a surprise - it's the editors top "pick" for the day, right ahead of "UFO spotted near Kaitaia baffles experts". Another slow news day down there before the Rugby World Cup gets properly underway?

I booked my flight down to NZ for Kiwicon last week. But primarily on the promise of good Wellington beer and food. You don't need a XSS to promote that....
posted by inflatablekiwi at 7:51 AM on August 29, 2007

"I booked my flight down to NZ for Kiwicon last week."

Whatever, nerd.
posted by John Shaft at 1:00 PM on August 29, 2007 [1 favorite]

« Older RANDOM.ORG   |   Ronald Jenkees Newer »

This thread has been archived and is closed to new comments