How to fix the target=”_blank” exploit

I was bored whilst waiting for a Git repo to clone so I decided to play around a little with a very old exploit (four or five months old), so I wasn’t expecting much. The exploit I’m talking about is the target=”_blank” one. What happens is that when you open a link in a new tab, you have access to window.opener.location and that is accessible across origins (CORS).

All you need on your site to test the exploit is :

  if (window.opener) { opener.location = ''; }

Click here : you’ll just see my site open in a new tab
Click here : and watch the original window change to my “you’re hacked page”

I was keen to test this on a few social media sites where I have links to my blog. I never expected Facebook to be susceptible to this exploit but it was one of the first that I found to be susceptible. On my profile’s about page, when you click on my website URL, it opens in a new tab and the old one redirects to my “you’re hacked page”. Crazy.

The possibilities with this is endless. You can setup a spoof page for any social network or site you want to steal users’ credentials for and once they click on your link on the real site, their logged in user will be redirected to your fake site where they will be logged out, asking them to log back in, and so you steal their login details.

I alerted Facebook via their bug bounty program explaining the whole situation. After about 10mins I went to check and they fixed the bug, but had given no response on my ticket I logged. At the time of writing this blog entry, it’s been a few days and I still have not received a response. I’m not expecting an award, just an acknowledgement that I helped them out would be great.

Anyway, if your blog or site is affected by this, contact me to help you sort it out.

WordPress Custom Post Type names restricted to max 20 characters

Ever spotted this error:

: register_post_type was called
. Post type names must be between 1 and 20 characters in length. Please see
Debugging in WordPress
for more information. (This message was added in version 4.2.) in
on line

Thrown here:


	if ( empty( $post_type ) || strlen( $post_type ) > 20 ) {
		_doing_it_wrong( __FUNCTION__, __( 'Post type names must be between 1 and 20 characters in length.' ), '4.2' );
		return new WP_Error( 'post_type_length_invalid', __( 'Post type names must be between 1 and 20 characters in length.' ) );

So It would appear that due to legacy issues, your custom post type cannot exceed 20 characters.

What are these “legacy issues” I speak of? The post_type field in the wp_posts table in the database where the type of post (your custom post type’s name) is saved, is a VARCHAR(20)!

Screen Shot 07-06-16 at 08.58 AM

I have no words.

Running: Sat, 28 May 2016 11:04:59

I’ve been focusing a lot on weight training the past few months. My leg muscles have increased a lot from squatting 150-260kg. All the added leg muscles aren’t exactly helping me in running. I’m preparing for the Impi Challenge in November 2016. I need to do a lot more running to get fit enough to tackle the 18km route.

  • Activity: Running
  • Distance: 10.28 km
  • Duration: 00:55:43
  • Average Speed: 11.07 kmh
  • Average Pace: 05:25 min/km

D.I.Y Biltong

I really love biltong, and being a fitness junky, the extra protein does come in handy. Ready-made bilton20150909_175905g costs in the region of R130 – R150 p/kg, whereas fresh silverside meat is in the region of R70 p/kg. So you can almost make it yourself for half the price (I said almost).

20150911_201916First off you need to get a hot, dry and ventilated place to dry the biltong. I don’t have a place like that in my house, so I rather built a dryer using left-over pieces of wood, a computer fan, a 12v transformer and a light bulb. For me this was the fun part, I really love D.I.Y and I had a buddy over to help me with the assembly, so it went rather quick. Just make sure there is enough ventilation and that your fan extracts all the moisture from the lamp heating the meat. Take care to put flyscreen material or any other porous material over any opening you might have in your dryer. Trust me, you don’t want any nasty flies sitting on your precious biltong meat, it will spoil all of it.
Once you have your dryer assembled, you can move on to the meat of the task (bad pun, excuse me). Go buy yourself some A-grade quality silverside meat from your local butcher, I bought mine at Checkers and it was R70 p/kg, but I’ve spoken to other people who said that their local butcher sells it for far less. Shop around see where you can get the best meat for the cheapest price.

You’re going to need the following ingredients:

  • Brown vinegar
  • Worcestershire sauce
  • Red wine (optional)
  • Brown sugar
  • Coarse sea salt
  • Coriander seeds
  • Whole pepper corns

20150914_171657The first thing you do is pour two dessert spoons of Worcestershire sauce together with equal amounts of brown vinegar and red wine into a large dish big enough to put all your meat in and cover it with the fluid. You’re going to want to be able to cover this dish and leave it in the fridge overnight.

The next morning, take equal amounts of coriander seeds and pepper corns and blitz them briefly (about less than 5 seconds) in a food processor, just to open up all the flavour. Mix that with two desert spoons of brown sugar and coarse sea salt.

Drain your meat from the vinegar and wine mixture20150911_173546 and lay it flat on a tray. Sprinkle your spice mixture generously over both sides of the meat, taking care to rub it in as much as you can. After this, you’re going to want to let this marinate for another 8 hours or until the following day, whichever comes first.

The last step in this process is to hang your meat in your dryer and let the curing process begin. My dryer does such a good job that I can usually start eating after about 3 days. On the 4th or 5th day all the meat is completely dry.