Years ago a friend of mine demoed an exploit of another mutual friend who'd let a domain lapse that was used as the reset email for a yahoo account. We let him know obviously.
I recently found a car parts shop and noticed they link to a abandoned domain that hosted a Piwik (now Matamo) script.
I bought the domain and now every customer was running scripts from my server. Being a good sports I notified them but they didn't react. I even visited them in the shop and they accused me of hacking so I let it be.
After a year I saw them promoting their site (that was still running code from my server) on facebook and I wrote them and they accused me again and threatened me with a lawyer.
Issue only got resolved because I found out a facebook friend of mine knows the owner and he dropped everything after they intervened.
3 comments
[ 3.1 ms ] story [ 20.7 ms ] threadI bought the domain and now every customer was running scripts from my server. Being a good sports I notified them but they didn't react. I even visited them in the shop and they accused me of hacking so I let it be.
After a year I saw them promoting their site (that was still running code from my server) on facebook and I wrote them and they accused me again and threatened me with a lawyer.
Issue only got resolved because I found out a facebook friend of mine knows the owner and he dropped everything after they intervened.
I worte it in detail on my blog (which they also tried to make me take down): https://blog.haschek.at/2019/threat-vector-legacy-static-web...