XSS Exploit on Half a Million 123 Reg Parked Domains
UK registrar 123-reg.co.uk has had a fair few customer relations issues in the past. Today I was digging into an issue for a client site and found some interesting things related to the way 123 Reg handles parked pages.
The problem was that the clients site didn’t open when you missed the www out of the domain. For example visiting this link was OK but this one takes you to a parked page (this site isn’t my client, just an example).
A quick check on how many sites 123 Reg has parked and indexed in Google reveals about half a million so there are plenty of trusted domains to have fun with.
Basically every single one of the half million domains parked with 123 Reg can be injected with links to whatever sites a spammer wants.