PCBugSquad

GrandCentral is a company, purchased by Google in 2007, that assigns a phone number that allows you to be reached wherever you are by redirecting your calls to other phones of your choice.  Yesterday, when browsing their blog I noticed a large swathe of empty space at the bottom and found this to be a bit strange.  You can see this empty space in the image below.  Notice the vertical slider and you will see that there is a ton more space underneath that I could not show in the image.

GrandCentral Blog with CSS
Notice the large white space at the bottom.

I pulled up the HTML source of the page and scrolled to the bottom, and lo and behold, I saw 3400+ links to what appear to be other hacked sites advertising drugs and online pharmacies. Below is a small snippet of the code with the URLs.  Notice, I have obfuscated the actual URL to use the example.com domain.

<div style=”left: -2227px; position: absolute; top: -3337px”>
<a href=”http://www.example.com/buy.php?id=1″ title=”adipex”>adipex</a><br>
<a href=”http://www.example.com/buy.php?id=2″ title=”order adipex”>order adipex</a><br>
<a href=”http://www.example.com/buy.php?id=3″ title=”cheap adipex”>cheap adipex</a><br>
<a href=”http://www.example.com/buy.php?id=4″ title=”no prescription adipex”>no prescription adipex</a><br>
<a href=”http://www.example.com/buy.php?id=5″ title=”adipex p how it works”>adipex p how it works</a><br>
<a href=”http://www.example.com/buy.php?id=6″ title=”adipex harmful side effects”>adipex harmful side effects</a><br>
<a href=”http://www.example.com/buy.php?id=7″ title=”how long does it take adipex to work”>how long does it take adipex to work</a><br>

</div>

The way they are hiding these URLs is through the use of a div with a style applied to it.  This CSS style says to display the html  -2227 pixels to the left of the left edge of the window and 3337 pixel above the top edge of the window.  This essentially makes it so the HTML is rendered off the screen and therefore invisible to a visitor.  On the other hand, a search engine, like Google, will still see the URLs and as the links are coming from an authoritative site like GrandCentral, give them a nice SEO boost.

If we want to see the actual urls, we could disable the CSS using a tool like Firefox’s Web Developer extension.  This would then disable the style in the <DIV> attribute and we can then see the URLs easily as shown below.

GrandCentral blog with CSS Disabled
Notice we can now see the previously hidden URLs

As you can see with CSS disabled the URLs are readily apparent.  I have already notified Google Security about this breach and I hope they have it rectified soon.

This entry was posted on Wednesday, July 16th, 2008 at 12:27 pm and is filed under Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.