If you go down to the Vogue UK website today, you could be in for a big surprise…
Because, strange things may happen if you enter the following “Konami code”: ↑ ↑ ↓ ↓ ← → ← → (up up, down down, left right, left right on the cursor keys) then press “B”, “A” and “Enter”.
Do you see that strange prehistoric creature at the bottom of the webpage?
The one brandishing a full set of teeth and a stylish line in bright red headwear?
Yep, I think you’ve spotted it now.
Assuming that Vogue didn’t want the latest fashions paraded on its homepage by T-Rex and Diplodicus, the most likely other explanation is that hackers found a flaw on the website which allowed them to inject a small script that watches for the keysequence and then triggers its terrifying payload.
I guess we should be grateful that it doesn’t do something more sinister, like play old songs by the Partridge Family or replace anorexic model photos with pictures of hamburgers.
But there’s a serious issue here. If hackers were able to break into Vogue’s website and embed this code they could just have easily planted something malicious. The potential for harm is much greater than the chances of you being a Brontosaurus’s breakfast.
Vogue should review its website security, ensure that its software and patches are up-to-date and conduct a thorough audit to see if anything else has changed on their site.
Update: Apparently the same Konami code works on the Wired website. Both Wired and Vogue are part of the Conde Naste publishing family. There are some reports that Vogue’s web developers deliberately embedded the dinosaur payload as an “easter egg”. The problem with these kind of tricks is that they can appear so similar to genuine hacking attempts. For instance, the hackers who hid “Asteroids” behind a Konami code on US govt websites earlier this year.
According to the webmaster (whose twitter handle I can't remember) it's deliberate and they haven't been hacked.
Yup, I'm not denying that possibility. Hence the question mark in my headline.
The problem with these kind of tricks is that they can appear so similar to genuine hacking attempts. For instance, the hackers who hid "Asteroids" behind a Konami code on US govt websites earlier this year: http://nakedsecurity.sophos.com/2013/01/28/hackers-asteroids-government-websites/
Found it https://twitter.com/iansteadman/status/354906235742593025
I tried this hack at least 15 times and it did'nt work ,and I tried refreshing the page lots of times but nothing changed.