undefined | Better HN

0 pointsmsla7y ago0 comments

> They track use by embedding a link to the third party font provider, which does a 302 redirect to a file on your server that requires revalidation every load.

GDPR, here we come!

> Automated bot traffic, whether benign, malicious, search engines, or anything at all, becomes very expensive. A flood of scrapers hitting your site shifts from a minor nuisance to a very big deal.

As they used to say on the chans: "Oh, exploitable!"

This would be a wonderful way to financially DDoS some organization you just don't like very much.

0 comments

cosmie7y ago

> GDPR, here we come!

I wish I had that card to play! For that specific provider in the example, their ToS explicitly says that, other than your login credentials, they're allowed to do and distribute any and everything they want with any data they collect from the usage of their service[1]. I'd be really curious to see exactly what usage is hiding behind that clause.

> This would be a wonderful way to financially DDoS some organization you just don't like very much.

Right?! It was mind boggling to learn how easily abused of a system it is. Their ToS even states that it's your problem, not theirs, and any call whatsoever to the "CSS key" (the nonexistent font file on their server that redirects to the real file on your server) is and will be charged as a view. You don't even need to hit the site it's embedded in - just hook up to TOR tunnel and throw a curl command to the "CSS Key" URL into an endless loop. And for optional flourish, add fake user-agent, origin, and referrer headers to the curl command. Let it run for a couple hours every week. Since you didn't hit their site, their site analytics never triggered, and they won't know what hit 'em until months later when it reaches a level that warrants finance asking why you blew so far past your budget.

[1] https://www.typography.com/home/cloud-terms.php