JamieH's comments

JamieH · on March 6, 2025

We did some similar work back in 2020: https://www.kryptoslogic.com/blog/2020/12/automated-string-d... I've always wanted to revisit it and add support for garble but I guess that's no longer necessary :)

JamieH · on March 11, 2015

No Windows Phone client for a start.

Gigablah · on March 11, 2015

I recently complained about the lack of a Windows Phone client on their Facebook page, and their response was "The service you've requested is currently not on our roadmap".

asyncwords · on March 11, 2015

I had asked the founder about a Windows Phone client a couple of weeks ago and at the time he had said a WP client was 'very likely'. Not sure which is more recent, but I would also like to see an Authy client for Windows Phone.

https://news.ycombinator.com/item?id=9100644

JamieH · on Sept 19, 2014

Still working here if anyone is yet to see it.

http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....

JamieH · on Sept 18, 2014

It's my personal domain, I use mandrill for some stuff.

SEJeff · on Sept 18, 2014

Hell of a good prank dude, well played sir!

JamieH · on Sept 18, 2014

The TXT record isn't being sanitized so it just echos out the script tag which then loads the JS file.

JamieH · on Sept 18, 2014

So uh. This works on a few websites. A couple I've found

http://dig.whois.com.au/dig.php?dom=jamiehankins.co.uk&type=...

http://mxtoolbox.com/SuperTool.aspx?action=txt:jamiehankins....

nitinag · on Sept 18, 2014

Our dns lookup tool is safe from this: https://www.misk.com/tools/#dns/jamiehankins.co.uk

arenaninja · on Sept 18, 2014

OH! Now I get it. Honestly, this is hilarious

jsmthrowaway · on Sept 18, 2014

Put your e-mail on your profile. The smart appsec groups, like Google's, would look at your hack as a resume. Seriously, who would have ever thought of XSS via DNS?

You could have just alert'd, too, but no. Harlem Shake. Bravo.

spb · on Sept 19, 2014

http://dig.whois.com.au/dig.php?dom=jamiehankins.co.uk&type=... appears to have fixed it.

btown · on Sept 19, 2014

To those at work: exploited sites will autoplay music. Make sure your sound is muted or your headphones are in.

jpinkerton88 · on Sept 18, 2014

Beautifully done.

mc_hammer · on Sept 18, 2014

^^ hilarious :)

giancarlostoro · on Sept 18, 2014

I'm guessing nobody else noticed the Rick Roll in there too?

BuildTheRobots · on Sept 18, 2014

As the script was just bouncing the search box at the start I a) assumed it was deliberate and b) expected them to start trying to sell me domains.

The rickroll was the first bit I noticed o_0

astrodust · on Sept 18, 2014

I appreciated the "allowfullscreen" option being thoughtfully included.

josephjrobison · on Sept 19, 2014

Am I the only one here that doesn't get what I should be looking for? I see the txt fields have google-site-verification and peniscorp but what is that doing?

Sanddancer · on Sept 19, 2014

They finally fixed it, but when this was first posted, the whois sites didn't do any sanitization of the TXT records, which meant that they'd just slap the record into the page. As the record included html saying, "hey, load this script from peniscorp", loading the page would let the script loaded there do various manipulations.

duncans · on Sept 19, 2014

Nitpick: they should have been encoding the output not sanitising.

swartkrans · on Sept 18, 2014

So like, what template library are these sites using that doesn't have basic XSS protection. :|

Havvy · on Sept 18, 2014

Probably basic PHP?

serveradminblog · on Sept 18, 2014

MXToolbox is a windows based app