ATTENTION: Anyone Who Uses Prosper202 - Read this.

[Tough Marketing]

k, so I'm a newb with this so I apologize in advance. But what your saying is they can redirect the traffic that prosper shows clicking on your site, but they are actually being redirected to their site?

Yes. One of the many horrible things they can do.

 

[Tough Marketing]

I am personal friends with Wes and the other guys. They would never do such a thing on purpose. I'll be sure to bring this to their attention asap.

Thanks for the heads up Tough Marketing. This will be fixed soon.

No problem. Hope I let everyone know soon enough.

 

[Tough Marketing]

Being from Brooklyn you get suspicious of anyone being nice to you or trying to help you.

why would prosper202 need to ping their server? They could have written the script so it didn't do that.

I don't care if anyone is a great guy.

I'm a great fucking guy but I'll rob the shit out of your campaign in a second.

so seriously internet marketers stop being so fucking dumb.

No offense, but I do think they are good people. They are offering people with no money and just starting out a nice tracking solution.

I have seen their code and I can vouch that there is no backdoors in their system. This is a simple mistake that I bet any custom tracking system could have.

 

[andyt]

Well I wasn't even using prosper202 anymore but I just moved my install out of the webroot. Hopefully they get a patch out quickly.

 

[johnysc430]

hey I'm not accusing them of anything, but there's a lot of temptation there. That guy wes does seem like a nice helpful guy. It's just scary having your data somewhere else.

 

[Tough Marketing]

hey I'm not accusing them of anything, but there's a lot of temptation there. That guy wes does seem like a nice helpful guy. It's just scary having your data somewhere else.

If you are using prosper the only place your data is, is your database.

I mean AES_ENCRYPT in mysql wouldn't hurt.
But it's free. They do their best im sure.

 

[erect]

That guy wes does seem like a nice helpful guy.

He is.

Even programs that have years of seasoning have vulnerabilities (WP hijack anyone). This is one of the hazards of software in general ... it's just a shame that breaking into p202 is probably just as profitable and less risky than stealing credit card information. It had to happen sooner or later and I guarantee that it will be cracked again even after this fix.

I certainly hope their t&c is airtight because when lots of money is at stake, lawsuits happen.

 

[xmcp123]

Being from Brooklyn you get suspicious of anyone being nice to you or trying to help you.

why would prosper202 need to ping their server? They could have written the script so it didn't do that.

I don't care if anyone is a great guy.

I'm a great fucking guy but I'll rob the shit out of your campaign in a second.

so seriously internet marketers stop being so fucking dumb.

Spoken like someone who has absolutely no idea wtf is involved in the exploit.
This is NOT like a master password, or some dumb bullshit. It's a legitimate accidental glitch. The rest of the code is most likely fine. This shit isn't even being negligent or anything like that. Even experienced coders make mistakes, and given the program is given away for free, it's remarkable how few there are.

 

[uguxseo]

Is P202 still vulnerable with mod_security installed?

 

[Tough Marketing]

He is.

Even programs that have years of seasoning have vulnerabilities (WP hijack anyone). This is one of the hazards of software in general ... it's just a shame that breaking into p202 is probably just as profitable and less risky than stealing credit card information. It had to happen sooner or later and I guarantee that it will be cracked again even after this fix.

I certainly hope their t&c is airtight because when lots of money is at stake, lawsuits happen.

I couldn't agree more. Look at microsoft. I bet everyone on here has had a virus on their computer at some point. I am a programmer and I know exactly how to prevent them but when your running an operating system such as windows there is tons of underground exploits or even exploits that haven't been found yet. There is exploits for internet explorer and even firefox. Everything that is made for good, someone targets for bad.

 

[gdubs12345]

is there anything we can do that might protect it as of now?

 

[Tough Marketing]

is there anything we can do that might protect it as of now?

Not without modifying the source of a few different files.
I think everyone just needs to watch over their servers closely and wait for a update.

 

[johnysc430]

Spoken like someone who has absolutely no idea wtf is involved in the exploit.
This is NOT like a master password, or some dumb bullshit. It's a legitimate accidental glitch. The rest of the code is most likely fine. This shit isn't even being negligent or anything like that. Even experienced coders make mistakes, and given the program is given away for free, it's remarkable how few there are.

yea I'm not a programmer at all. I don't think they did it intentionally but what is the use of them having the data pass through their server?

 

[Tough Marketing]

yea I'm not a programmer at all. I don't think they did it intentionally but what is the use of them having the data pass through their server?

It's not the case. But just figure out how valuable your data that is on there is. All of your converting keywords and ads for example getting into someone else's hands. The software doesn't "phone home" and like xmcp said, everyone makes mistakes. It happens when you code.

 

[Tough Marketing]

I apologize, I have to leave for a few hours or more. I wish I could do more to stop this right now, but nobody has gotten back to me about fixing it. If the owners read this, xmcp has my phone number and I am sure lots of people have his number.

 

[MattDunbar]

Should have been tested a lot better to prevent bugs like this though, anyway, if they wanted to steal data, they'd encrypt the source and phone home in that code, with all data.

 

[johnysc430]

yea this sucks, I know some high producing affiliates using this program. Someone had mentioned this problem with the program to me about a week ago. This sucks because this is going to kind of ruin the guys from tracking202's cred a little.

 

[volknet]

I'm sure Wes will get this fixed ASAP.

Thanks for letting us know of the exploit.

@ johnysc430: LOL @ I'm a great guy but I'll steal all your money.

 

[mattaw]

Have talked to Wes, he's looking into it now and fixing it

 

[xmcp123]

Should have been tested a lot better to prevent bugs like this though, anyway, if they wanted to steal data, they'd encrypt the source and phone home in that code, with all data.

I had a chance to talk to Wes, and it would appear that indeed it was tested quite well.

yea this sucks, I know some high producing affiliates using this program. Someone had mentioned this problem with the program to me about a week ago. This sucks because this is going to kind of ruin the guys from tracking202's cred a little.

It really shouldn't. This kind of glitch was only made possible because of a series of pretty fuckin obscure conditions that don't occur often. You wouldn't exactly find this kind of "security tip" floating around on forums or anything. In fact, I don't even know wtf to call this. It can't truthfully be called XSS or injection or anything common like that.

Really, don't hold this against them. They did due diligence and just missed something obscure.