3 comments

[ 3.1 ms ] story [ 20.7 ms ] thread
I was concerned for a moment, but this seems more like an issue for big companies, not individuals.
Years ago a friend of mine demoed an exploit of another mutual friend who'd let a domain lapse that was used as the reset email for a yahoo account. We let him know obviously.
I recently found a car parts shop and noticed they link to a abandoned domain that hosted a Piwik (now Matamo) script.

I bought the domain and now every customer was running scripts from my server. Being a good sports I notified them but they didn't react. I even visited them in the shop and they accused me of hacking so I let it be.

After a year I saw them promoting their site (that was still running code from my server) on facebook and I wrote them and they accused me again and threatened me with a lawyer.

Issue only got resolved because I found out a facebook friend of mine knows the owner and he dropped everything after they intervened.

I worte it in detail on my blog (which they also tried to make me take down): https://blog.haschek.at/2019/threat-vector-legacy-static-web...