Out of the blue this morning I remembered the time I pranked almost every member of a forum I used to frequent. I won’t drop any names, but this was the official forum of a major music artists and his fans were (and still are) obsessive and so much fun to toy with.
Back in the day me and a number of my online compadres shared information with each other on how to manipulate the workings of a forum system developed specifically for the artist websites of one of the world’s most recognized record labels and its daughter companies. The exploit information usually ended up in mailboxes of the developers, but only after we had some fun with it first.
A passive symbiotic relationship had developed between developers and the people that visited the forums just to toy with them. We messed around with some exploit we found and when it got boring (or completely out of our control) we let the developers know about it hoping it would get patched soon.
Given that this system was used on the sites of every single artist signed to this record company, the flaws we found sometimes had ramifications beyond the scope of our playtime activities.
One exploit was so major it was kept in a very close circle. It allowed for the exploiter to take ownership, control and identity of any user on the forum at any time. This was made possible by poor and a low level of encryption and in some cases a flawed understanding and implementation of authentication concepts. In short, hours of harmless fun with the users’ minds. The exploit was further developed by yours truly to include cross level access. 
This meant that I could elevate my rights on the forum from “user” to “artist”, “moderator” or “administrator” allowing me to not only post items as someone else but also post announcements as moderators or successfully pose as any artist. Which brings us to the prank.
Since everyone on that forum was obsessed with the artist , we decided to pose as the artist and send some messages. We took ownership of an account with a user name that appeared to be the artist, manipulated a POST header and posted a message on there. To this day, most of the people that were there when it happened thought it was the artist posting.
I can’t say I’m proud of my past juvenile antics, but I did learn masses about how not to develop CMS systems and what pitfalls to look out for; also, it was masses of fun.
Mind you, most of the exploits were eventually divulged to the system developers, but it did not stop the demise of that forum system. Today the artist websites have CMS and forums based on standardized .NET Framework objects. They’re poorly coded and buggy to this day.
Author: Tanin
Tanin in an information technology consultant specializing in complex heterogeneous environments. He can be reached through multiple social networking sites including Twitter.
