Has the Vogue website been hacked by dinosaurs?

If you go down to the Vogue UK website today, you could be in for a big surprise...

Because, strange things may happen if you enter the following "Konami code": ↑ ↑ ↓ ↓ ← → ← → (up up, down down, left right, left right on the cursor keys) then press "B", "A" and "Enter".

Vogue website, complete with dinosaur

Do you see that strange prehistoric creature at the bottom of the webpage?

The one brandishing a full set of teeth and a stylish line in bright red headwear?

Vogue website close-up

Yep, I think you've spotted it now.

Assuming that Vogue didn't want the latest fashions paraded on its homepage by T-Rex and Diplodicus, the most likely other explanation is that hackers found a flaw on the website which allowed them to inject a small script that watches for the keysequence and then triggers its terrifying payload.

I guess we should be grateful that it doesn't do something more sinister, like play old songs by the Partridge Family or replace anorexic model photos with pictures of hamburgers.

But there's a serious issue here. If hackers were able to break into Vogue's website and embed this code they could just have easily planted something malicious. The potential for harm is much greater than the chances of you being a Brontosaurus's breakfast.

Vogue should review its website security, ensure that its software and patches are up-to-date and conduct a thorough audit to see if anything else has changed on their site.

Update: Apparently the same Konami code works on the Wired website. Both Wired and Vogue are part of the Conde Naste publishing family. There are some reports that Vogue's web developers deliberately embedded the dinosaur payload as an "easter egg". The problem with these kind of tricks is that they can appear so similar to genuine hacking attempts. For instance, the hackers who hid "Asteroids" behind a Konami code on US govt websites earlier this year.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. Ryan Cullen

    July 10, 2013 at 4:54 pm #

    According to the webmaster (whose twitter handle I can't remember) it's deliberate and they haven't been hacked.

    • Graham Cluley in reply to Ryan Cullen.

      July 10, 2013 at 4:58 pm #

      Yup, I'm not denying that possibility. Hence the question mark in my headline.

      The problem with these kind of tricks is that they can appear so similar to genuine hacking attempts. For instance, the hackers who hid "Asteroids" behind a Konami code on US govt websites earlier this year: http://nakedsecurity.sophos.com/2013/01/28/hackers-asteroids-government-websites/

  2. Ryan Cullen

    July 10, 2013 at 4:59 pm #

    Found it https://twitter.com/iansteadman/status/354906235742593025

Leave a Reply