ChrisDevBox

I ran into this little security hole when I got an email (SPAM *wink*) from JibJab asking me to use their Sendables service.  I started to create one, but then I realized that I had to pay for it, so I stopped!

well being the hacker that I am I looked into circumventing their technology, so that I could use their “preview” version and host it some place else and it worked!!! (SORRY JIBJAB I really love your product, I just felt a little greedy today… plus 10 bucks for 100 credits come one man)

JibJab if you are reading here is how you can reproduce:

1. Go to the sendables page http://www.jibjab.com/sendables/
2. Select your favorte sendable, upload photos, save.
3. Click on the preview button / Link
4. Right click on the page and select view source
5. Click CTRL+F and search for .swf
6. Locate a string that looks liek this: %2Fsendables%2Fapi%2Fpreview%2FIxLyhHno2XoHrM4xbre6q4C5.xml
7. Insert that string into the ##HERE## area below

<embed src=”http://llnw.jibjab.com/content/player.swf” width=”450″ height=”395″ flashVars=”content_url=http%3A//www.jibjab.com##HERE##” wmode=”transparent” pluginspage=”http://www.macromedia.com/go/getflashplayer” type=”application/x-shockwave-flash”> </embed>

So using the string above it should looke like this

<embed src=”http://llnw.jibjab.com/content/player.swf” width=”450″ height=”395″ flashVars=”content_url=http%3A//www.jibjab.com%2Fsendables%2Fapi%2Fpreview%2FIxLyhHno2XoHrM4xbre6q4C5.xmlwmode=”transparent” pluginspage=”http://www.macromedia.com/go/getflashplayer” type=”application/x-shockwave-flash”> </embed>

And to prove to you that I’m not lying here is a quick sample!

http://www.chrisdevbox.com/hacks/jib-jab-hack/

When you are done with that please check out what I did last night….

This entry was posted on Tuesday, May 20th, 2008 at 7:01 pm and is filed under Hacks.