by Peter Jaric
Finally we have a winner!
In short, the goal of the contest was to write code that generated a key for a made-up crypto coin called VDC, and at the same time include hidden code to send that key to your own server. Read more about it, and all the rules, over at misdirect.ion.land.
The contest ended the 13th of September, and at that time I had got 40 submissions, of which 34 were valid. The number of submissions and the nice comments I got from the contestants made the contest a success to me.
I liked his submission because it is short and still manages to include hidden evil code. Most other contest submissions were far longer. You can check out his entry over here: http://jsfiddle.net/c6z0kb4g/0 I’ve included Aymeric’s own description of his submission, but not right here.
At the end of the post follow the other entries (except for a few who wished to be removed from this list). Do you think I made the right choice, or is there a more worthy winner?
Some random thoughts about the submissions:
- Many contestants hid the evil code in a Base64-encoded block, often masked as a seed or key.
- Using Image.src as a way to send the key was very common. I also used it in my example, maybe that was the reason.
- Another trick used by more than one, was to include a link to StackOverflow in a comment. I think that was quite clever, because as a code reviewer (and creator) I am used to find these kind of comments that explain unusual code.
- Generally I find it easier to skip over code that has a good comment above it, so I think that is a good trick too.
I have not done this all by myself. I’d like to thank Jacob Soo, Jonatan Heyman, Victor Haffreingue, File Descriptor and Detectify.
These are the other valid submissions (except for those who elected to be removed):
The tricks behind his solution, in his own words:
– perform a request leveraging Image.src
– generate the seed as being `src`
– use the seed to generate the domain name (src.sr)
– obfuscate the url construction as if it was the hash
Will send the generated key to __generated_key__.src.sr (necessitate the proper DNS Cname wildcard)