|
|
| CSS/XHTML Gurus, Web Designers, PHP Devs: You + Zootoo (NJ)? |
|
|
|
| CSS/XHTML Gurus, Web Designers, PHP Devs: You + Zootoo (NJ)? |
| « 1.11: Some Surfing | 1.12: Social Networking » |
Not too long ago, I added my company, Inedo, to the federal government's Central Contractor Registration system. I don't know, I just didn't want to miss out on all the fun every one seems to have with government work. Whenever one signs up for virtually any government thing, a deluge of companies somehow manage to find to out. The CCR is certainly no exception.
One of the many companies that contacted me after signing up was the Federal Suppliers Guide. The initial cold call went something like this:
FSG Rep: Hi Alex, I've got some great news for you!
(Let me guess... you can save me a lot of money on something...)
Me: Okay...FSG Rep: We've reviewed your CCR registration, and it looks like your company could be eligible for placement in our guide!
(Wow, that *is* great news!)
Me: Your guide?FSG Rep: The Suppliers Guide! It's used *exclusively* by state and federal agencies to purchase services and products. Anyway, to confirm your eligibility, I'll need to ask a few questions. First, where are you located?
--- snipped a total of three questions asked ---
FSG Rep: Okay... well, let me punch this in here -- clickity clickity clicky -- wow! This is really good! You are, in fact, eligible for the guide! Would you like to be in our guide?
(There's no possible way there could be any sort of catch here...)
Me: Sure! Why not?FSG Rep: Fantastic! There's just a nominal fee to get started, so if you'll just get me your credit card number we can--
Me: How much is the nominal fee?
FSG Rep: Heh, it's really very little actually. It's a fantastic investment that ranges anywhere from six hundred to several thousand.
Me: I can't make that decision right now; can you send me over some information?
FSG Rep: Oh. You can't? Well, I mean, I guess I could send you more information... but you know, I can just answer any questions you have now. I mean, I'd hate for you to lose your eligibility, that's all!
(What a nice guy! And this whole time, I thought he was a fast-talking salesman...)
Me: I guess we'll just have to take that risk; can you also send me a copy the guide, too?FSG Rep: Err, gee... well, you know... that's the one thing I can't do. You see, these guides are to be used *exclusively* by government agents. We can't just give them to anyone, you know.
(And to think, I was questioning whether they were even legitimate!)
Me: Okaaaay... just send me what you can then.
After a bit more back-and-forth about how he could "just answer any questions I had right now", the sales rep pointed me to their sample ads, a 7mb PDF with sixteen pages of seemingly real companies, all with the same phone number (555-555-5555) and the same website (00000000000.com). Somehow, that didn't convince me to "invest" several hundred dollars, so the salesman faxed over some more inforation with a single, real ad.
As I eagerly waited for the follow-up call later that day, I thought I'd take a minute or two to check out their website. Almost immediately, I came across their Federal Procurement Officers Only page. Out of curiousity, I entered a username and password, and then clicked the Login button. Instantly, a JavaScript dialog popped-up...
Since there's really only one thing that could cause such a dialog to pop-up so fast, I checked the source code...
<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="buyers") {
if (form.pass.value=="gov1996") {
location="http://officers.federalsuppliers.com/agents.html"
} else {
alert("Invalid Password")
}
} else { alert("Invalid UserID")
}
}
//-->
</script>
And sure enough, following that URL (UPDATE: now taken offline) led me to the "SECURE Federal Suppliers Guide Listings for Agents" [sic] page. Having obviously way too much free time on my hands, I clicked through the secure guide and called a few of the companies listed to inquire about the ad. The response was overwhelmingly the same: we spent several [hundred|thousand] bucks on this ad, and haven't had a single call -- aside from yours just now -- in [one|two|three] year[s] regarding it.
When the sales rep called later, I decided to politely explain why I wouldn't be "investing" at this time...
Me: I called a few of your clients for references, and none of them received a single lead from the--
FSG Rep: Wait-wait-wait... clients? You called our clients? How did you--
Me: Err, well, I just clicked the "Agents" link--
FSG Rep: You can't access that page! That's for Federal Procurement Officers Only! It's password protected!
Me: Well, umm, the password was right there on the--
FSG Rep: So you hacked our site!? You can't do that! It's SECURE! You can get in a lot of trouble for hacking!
The conversation quickly went downhill from there. Needless to say, I decided against investing in the guide. But the good news is, despite hacking their site, I'm still eligible for inclusion in the guide!
|
Damn, they just re-secured it by changing the jscript to:
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="Agent") { if (form.pass.value=="fsg2008") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script> That's really unhackable. |
Re: So You Hacked Our Site!?
2008-02-29 13:12
•
by
Fry-kun
(unregistered)
|
It was taken offline a few minutes ago, probably in response to all the "hacking" that's been going on. |
Re: So You Hacked Our Site!?
2008-02-29 13:44
•
by
FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
(unregistered)
|
|
thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government
and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well. |
Re: So You Hacked Our Site!?
2008-02-29 14:09
•
by
Sys
(unregistered)
|
|
Just changed again...
<script language="javascript"> <!--// /*This Script allows people to enter by using a form that asks for a UserID and Password*/ function pasuser(form) { if (form.id.value=="zzzzzz") { if (form.pass.value=="fffxxx") { location="http://officers.federalsuppliers.com/agents.html" } else { alert("Invalid Password") } } else { alert("Invalid UserID") } } //--> </script> Somebody should tell them that changing the password will not help as long as the password is written there... |
|
This script is great, the messages are informative, kindly indicating which, of the password or UserID, is invalid, but it could be further improved:
|
|
Due to the bytes shortage we've been experiencing, I fell a need to sum 90% of the next 300 posts.
1- (reply to 180051) Your security sucks! There was no hacking at all. You don't know how to type or spell. You sent the password and blah blah blah... 2- Now the UserID is "moron" and the password is "scam3000" 3- Hey everyone, they changed the page to http://www.federalsuppliers.com/warning.html 4- Too bad they put it offline now. But I bet it still is available on Google's cache. If your post resembles any of the statements above, don't bother. Save those precious bytes to something that have not been written countless times. Thank you |
Re: So You Hacked Our Site!?
2008-03-04 06:34
•
by
More
(unregistered)
|
Don't worry... you can still get in using a google search. That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us. |
| « 1.11: Some Surfing | 1.12: Social Networking » |
Henk Poley:
