A decision had to be made.

You see, the context of the HM2K blog has always had a subtle undertone of my business and the work I do online. That business is Phurix web hosting.

Phurix has always supported me and the blog, but unfortunately, because of other commitments I have less and less time to write and publish.

At first I thought the best solution would be to shut down the blog and call it a day, while a colleague said he thinks I should keep it online.

I’ve been thinking about a solution for a long time but then, while I was on holiday, it hit me.

Merge it into the Phurix brand and it made sense too:

• HM2K.com was a hard concept to explain
• Easier concept: Phurix Labs:”Where we experiment with ideas and findings”
• HM2K.com had no context, it would often seem random
• Makes more sense in the context of the business
• HM2K.com had no real focus or agenda
• Focus on what is important: the business
• HM2K.com was a burden on one person
• Shared with Phurix
• HM2K.com was not making money
• By improving brand awareness business will increase

A proposal was put forward and it went better than expected, it all seemed to fit together nicely. Perfect!

The decision was made and I have no regrets.

Today, we started by introducing a new “Phurix Labs” theme to HM2K.com, so that’s phase one is done.

Over the next few days, the website will be migrated from here to “labs.phurix.net” (where it now belongs). That’s phaze two.

Thanks for reading and I hope you continue to support the new Phurix Labs project.

These are exciting times, watch this space!

About Phurix

Since 2004, Phurix has offered affordable and reliable hosting services with a no nonsense approach. Phurix will continue to provide a high quality of service and engage with customers to ensure its future and growth.

Authorised cPanel Partner and OpenSRS partner.

About Phurix Labs

Phurix Labs is where we experiment with ideas and findings. You’ll find all sorts of useful tools and information.

Sure it was spam, but this one was tagged with a “Password” tag, a tag that I used to filter any emails that contain an old password.

Low and behold there was my password displayed right in the email. So, of course, the first thing to do was to check the email headers to see how the email was routed.

I could not believe it!

To: “password1” <[email protected]>

Note: my password is not password1, I replaced it with that.

They had inserted my password instead of my name in the “To” part of the email headers.

The email address they sent to was an alias which I had used specifically for friendster so I knew. However, according to the email headers it definitely did not come from the friendster servers.

How did the spammers manage to get my password and email address?

I’ve certainly not used the account since about 2005, so it can’t be me.

Does friendster store their passwords in plain text?

I figured the easiest way to check is to issue a “forgot password” request and see what happens.

• It’s official: Friendster is a plain text offender.

I received an “Your Friendster account information” email which contained my password in plain text right in the email.

Yes, this means is that it is absolutely possible that if somebody did hack into friendster they could recover my password (and everyone elses) from their database.

What does this mean for friendster?

Well, probably not a lot since most people are waving bye-bye to friendster anyway as friendster starts to delete all user data from their servers.

My tip: Don’t delay, delete it today!

Update 02/06/11

Yesterday I emailed friendster to notify them of a serious security concern, today I received this reply:

Thank you for reporting this to us.  We take reports like this seriously and we shall make the proper investigation on your concern.  Unfortunately, we don’t have a specific time frame on when the investigation will be completed. We apologize for the inconvenience.

Regards,

Frank

Customer Support

P.S. Thanks for your comments, I’m glad I’m not alone. Keep them coming!

So, looking back at a post written by Oatmeal which explains how to get 20 .gov links in 20 minutes I wondered if the same was possible for Dmoz…

After very little searching I soon discovered that the main search function of Dmoz is vulnerable.

This means malicious users could easily place HTML code into the search form input box and manipulate the markup on the site (aka Cross Site Scripting or XSS).

Here’s a proof of concept showing how you would link to example.com with the anchor text as “Look, I made a link”:

http://www.dmoz.org/search?q=%3Ch1%3E%3Ca+href%3D%22http%3A%2F%2Fexample.com%22%3ELook%2C+I+made+a+link%3C%2Fa%3E%3C/h1%3E

View the compromised page (screenshot)

To make this affective, you would simply need to swap out the domain and the anchor text and (in theory) you would have to link to them from various other websites for them to eventually get indexed and start passing link juice for things like PageRank.

This is not the first time that Dmoz has been subject to such a flaw, as in 2007 they were subject to a similar XSS vulnerability in their blog search.

There are many well established ways Dmoz could fix this (aside from fixing their site code) on the server but they have chosen not to. I’m not sure why.

Is there any SEO value in these type of links? It’s uncertain.

Is there a security risk? Yes, definitely.

Dmoz is not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed it.

Will Dmoz pull their finger out or is he dead, jim?

Note: Dmoz Staff were unavailable for comment at time of publication (email address was unreachable).