Just to clarify, the PHPSESSID cookie was HttpOnly - I could extract the new value because I had overwritten it. Most of the cookies were set correctly (thankfully) however there was a lot of SPII stored in JS variables which I was able to get.
OP - I'm honestly not sure what happened, it could be just based on the naming or something else to do with it. Either way, when I visited it, Googles Safe Browsing alert popped up with "Deceptive site ahead - recentley detected phishing".
This is a newish _Chrome_ feature (within the past 2 years) that Google rolled out. Any subdomain that looks like a domain (especially ending in a common TLD) will trigger that warning.
I learned that because, at work, I architected a system for serving certain assets for customer sites at a subdomain off a shared root domain, keyed by their full domain (like example.com.example.org—where example.com is the customer’s site domain). We ended up changing to example-com.example.org which is far better anyways since this feature started breaking stuff once it rolled out.
But this is a Chrome feature and should not affect your rankings themselves. But couldn’t hurt to take it down just in case.
OP Here - Like the others have said, it wasn't a proper same-origin check. We'll never know for sure how it was handled beacuse it was all done server-side but I'm guessing it was something like an if in statement on the FQDN, hence why I was able to get away with pointing it to my own domain.
Hi, OP here! Thank you all so much for the positive commments. To give some background: I'm a 17 year old student in the UK doing my A-Levels, still deciding what uni to go to and looking for degree apprenticeship options! You can checkout my github profile here -> https://github.com/Jayy001 (I'm one of the core members behind HashPals, creating Search-That-Hash as well as being a maintainer for the open-source repository of free software for the ReMarkable tablet)
I did a degree apprenticeship at a FAANG company and was lucky to transition into a full time role there. It heavily depends upon the company, however my advice is that an apprenticeship at a well respected company goes much further than uni (bar Oxbridge) in terms of immediate job prospects.
I'd be very happy to talk more about this w/ you - email in my desc.
sorry, endofreach, i'll continue to call it Meta or Facebook interchangeably. One is company's legal name, and the other is its major product.
As for the evilness, i will not argue. Everyone is entitled to their opinions.
For the OP in question, Facebook will provide the best career launch pad, so i will continue to suggest that. I have been to Google and Facebook, so can compare the two.
They do, yes. There are some rules around the attribution, like if recruiters have reached in some capacity in the past xx months without an outcome, you may still not get an award, I believe.
This was one of my favorite security research findings and I decided to write my first ever blog post on it. Would love to hear everyones thoughts and any constructive criticism on it!
