Instead of multiple clicks, you can just open Console and type in.
FKART.digital.addToLibrary(‘DGADCWYGABB8HQGP’)
I haven’t tested the case where there is money in the Wallet.
Hail Javascript! Well JQuery in this case.
Tag Archives: hacks
Hijack any launchrock page in 1 minute
Really?
Yes. This vulnerability lets any launchrock user to hijack your launchrock landing page (embedded widgets are safe)
Show me!
So who are affected?
Any custom launchrock domain pointing to sites.launchrock.com for CNAME, which is basically pointing your DNS to launchrock servers, is vulnerable to this attack.
I was successfully able to hijack my friend’s launch.learnsocial.com as well as a few launch pages of my own.
$ dig launch.learnsocial.com @8.8.8.8 ;; ANSWER SECTION: launch.learnsocial.com. 21599 IN CNAME sites.launchrock.com. sites.launchrock.com. 299 IN A 50.17.236.4
This works because launchrock does not check whether,
- you own that domain or not
- the domain is already in use by some other site (Tumblr does this)
So, anybody with malicious intentions can hijack at least 1000 sites that currently point to launchrock servers.
How can I quickly try this hack?
- Create a “new project” / use an existing project
- Point your project’s domain to an existing launchrock page’s domain (Feel free to use
launch2.yekkada.comto test it out.)
Quick try for developers:
$.ajax({url: 'http://platform.launchrock.com/v1/updateSiteSetting', method: 'POST', data: {session_id: 'session_id', site_id: 'FV0CNZBC', setting_name: 'siteDomain', setting_value: 'launch2.yekkada.com'} });
$.ajax({url: 'http://platform.launchrock.com/v1/launchSite', method: 'POST', data: {site_id: 'FV0CNZBC'} });
It took me more time to get around the UI than to find this bug. I could not use the ‘advanced code editor’.
Is there no solution?
Until launchrock comes up with a solution (something along the lines of google app’s approach to custom domains), there seems to be only 1 solution to this if you want to continue to use launchrock.
Use your own server to “embed” the same code.
That’s what we ended up doing for our idea – VacantWalls.
Is embedding secure?
Yes, compared to pointing your site’s DNS to launchrock’s servers.
We have already brought this to launchrock’s attention
Sairam's Blog 