EntreFrame: A Second Look At Entrecard Widgetsurf

Recently, I blogged about Entrecard Widgetsurf’s amazing tool that allowed dropping Entrecards on multiple widgets without even visiting the blogs or websites the widgets belong to. This was possible because the widgets were pulled out of the sites or blogs and were placed on single pages in a 3×3 grid making each page holds at least 9 widgets each. That was the most convenient way of dropping entrecards but unfortunately the said method or practice is not allowed by Entrecard and thus it was taken off.

After the tool or the pages were taken off, I’ve noticed that they’ve introduced a new tool and that is the EntreFrame. I find the EntreFrame very interesting because it adds spice to your Entrecard widget by enclosing it inside a frame. Now, your common looking Entrecard widget will stand out more and will become more noticeable to your readers or visitors. Indeed, EntreFrame is a very nice tool and I’ve seen many blogs are already using it.

Using EntreFrame on your own blog or site is quite very simple, you just have to copy the code and paste it somewhere in your template’s sidebar area. If you are using a plugin called Exec-PHP then you can use a text widget and paste it in there. A sample code would look like this:

<?php echo file_get_contents('http://entrecard-widgetsurf.most-effective-solution.com/entreframe/border125_08/border125_08.php?entre_id=XXXX');?>

You’ll also need to change the XXXX part of the code to your Entrecard User ID Number and once that is done, your widget will be displayed with a frame around it. Ain’t it cool?

Now, my curiousity didn’t stop there. I noticed that the code is simply just a call to a URL, so what I did next was, I copied the URL part of the code and then changed the XXXX part to a random number. In this case, I changed it to 2345, so now the URL will look like this:

http://entrecard-widgetsurf.most-effective-solution.com/entreframe/border125_08/border125_08.php?entre_id=2345

I then pasted the URL into my browser’s address field, hit enter and there it was, staring in front of me was someone else’s framed widget on a blank page. It was a very interesting discovery. It seems that the URL alone can be used to pull out any members’ widgets by simply changing the XXXX part to any four digit number.

At this point, I felt that it was not looking good because if you are a chaindropper then what you can do is just change the XXXX to any four digit number and hit enter on the address field to reload a new widget to drop on and since you are not loading an entire webpage, it would be very, very fast.

Concerned about a possible abuse, I sent my discovery to Entrecard and below was their reply:

Yeah, its cool our security just wipes your credits out if you do it even a couple times. no security threat there. at all. – Entrecard

I guess my discovery was not much of a security concern for them at all. Based from their reply, I’m assuming that they’ve already encountered and had dealt with it before.

I’m happy that they’re on top of things like this but I still believe that to protect the integrity and value of the Entrecard Credit, the Entrecard Widgets must be totally secure and that they cannot be easily pulled out of the blogs or sites they belong to. Remember, the Entrecard Widgets are the main source of earning Entrecard Credits and if you can easily pull out a widget or widgets then just imagine the possibilities of it being abused.

Anyway, it’s just something I accidentally discovered because of curiosity and, besides, if they say there’s no security threat then I guess there’s no security threat, right?

P.S. This again proves that I do read the blogs I drop my cards on. LOL!