Yes, I must admit, this is a linkbait post. As you can see, this blog doesn’t have ads, I am not about the money, but I like the fame. So, here goes a very funny WordPress trick.

There is a vulnerability in Wordpress that makes use of a known feature called “Post Timestamp”, meaning you can write a post and set a posting date into the future; the post will only be displayed at that time.

The vulnerability, first released by Michael Brooks, also reported a while ago on Bugtraq and today on XSS news, allows you to see “future posts”, posts that are not yet ready for posting. This means you can know the future of your preferred blog.

And it works. For instance, tomorrow, ShoeMoney is going to post about UFC 79 Nemesis Matt Hughes VS George St Pierre.

http://www.shoemoney.com/?x=wp-admin/&paged=1

Update: Problogger is even funnier, with post for the 23th, 24th and the “Best of ProBlogger - 2007″ on the 25th. LOL.

Commentary

  1. SlightlyShadySEO wrote on 21. Dec 2007

    Very, very nice. I need to start reading BugTraq more.
    You should get yourself a sphinn avatar so your posts stick out more; I almost missed this one.

  2. Tim Nash wrote on 21. Dec 2007

    See the simple way to avoid this is to be totally disorganised and have no forward planning looks like I’m safe then :D

  3. Brendan Cullen wrote on 21. Dec 2007

    Nice find. What you should have done is copy & pasted his article here first, and when he posted his start shouting about being ripped off and ride the Digg/Sphinn train to fortune and glory.

    Now that would be black hat :)

  4. SlightlyShadySEO wrote on 21. Dec 2007

    @Brendan
    I like the way you think!

  5. Gerard McGarry wrote on 22. Dec 2007

    That’s such a bizarre bug. I’m stunned that WordPress has such a glaring vulnerability.

    Darren and Shoe must be kicking themselves, especially Darren who regularly advises people to schedule posts for launch.

  6. Brendan Picha wrote on 22. Dec 2007

    The flux capacitor of Wordpress. Very nice.

  7. Lloyd Budd wrote on 22. Dec 2007

    This issue is resolved in the soon to be released WordPress 2.3.2 (2.3.2-beta2)

  8. SlightlyShadySEO wrote on 27. Dec 2007

    Heh just so you know, there’s some shit who duped your post, spun a bunch of accounts, and started running it up sphinn.
    imakemoneyhoney.blogspot.com/2007/12/how-to-know-what-shoemoney-is-going-to.html
    just givin ya a head’s up.

  9. k wrote on 27. Dec 2007

    Thanks SlightlyShadySEO!

  10. Jim McNelis wrote on 29. Dec 2007

    neat trick! spun

  11. SlightlyShadySEO wrote on 29. Dec 2007

    Np.
    If you feel like it, you can probably get his entire feedburner account torched at http://www.feedburner.com/fb/a/contact
    hmm I wonder if he keeps other more legit blogs on there…

  12. ChaosKaizer wrote on 30. Dec 2007

    Owned, great find. I read it on trac. This could be a serious “Hole” in wordpress. Others could steal your whole stories and make claimed without looking back.

    ho ho ho happy new year.

  1. WordPress Hacked: Anyone Can View Future/Draft Posts on 28. Dec 2007
  2. WordPress 2.3.2 (安全性更新) at Gea-Suan Lin’s BLOG on 29. Dec 2007
  3. Wordpress 2.3.2, actualización urgente | aNieto2K on 29. Dec 2007
  4. Deviant on 29. Dec 2007
  5. Ubunteate Blog » Blog Archive » Wordpress 2.3.2 Actualizado on 30. Dec 2007
  6. WordPress Bug: I Read Your Future Drafts! on 30. Dec 2007
  7. WordPress 2.3.2 Security Update Released on 30. Dec 2007
  8. » Wordpress: That Took 14 Months - John Andrews - johnon.com on 30. Dec 2007
  9. Backup your wordpress blog and upgrade to wordpress 2.3.2 | Blogging Tips on 02. Jan 2008
  10. WordPress 2.3.2 Update | Youfoundjake on 04. Jan 2008
  11. Matasano Chargen » Funny WordPress Vulnerability on 23. Jan 2008

Leave a reply