Great idea, but think about where these ads are going to be seen. Right next to googlemoneytree.com and “Free iPhone” spots. That’s a tough stigma to get around.

plus, i believe that credit cards are automatically insured against fraud.

personally i believe these types of widgets will be the standard in a few years, and people will look back on static image banners and laugh.

Yeah, the second link looks to have stopped working around 4:15 AM (Pacific time). They haven’t fixed the issue, they’ve just blacklisted my IP address from talking to their servers. Try running the curl commands in my 1:30 AM update if you’re still interested in reproducing it.

Regardless, you seem clueless about how secure software works, so I’m not going to bother following up anymore.

are you out of job, looks like you spent entire night on trying to validate their widget

by the way your second link does not work either.

let me know if you are looking for a job..
email me at jobsonlyforhackers@matthew.com

After coming back and realizing it was that simple, I updated the page to automatically fetch the changing string (with instructions) and to refresh every 5 minutes.

As of right now, they’ve changed their validation code to blacklist dempsky.org as a referrer, but the trick would work on any other domain you care to try. E.g., right now http://70.85.31.../adgregate.html still works.

Are you just trying to get traffic to that page – I see your status message saying they are updating their security mechanism, any smart company will do that periodically.

I hardly believe you even got it working once. Try some other websites for cheap publicity.

Leo C

http://www.lce-...ma/banners/lce/

They can defend that the site which shows the widget is a second layer and the data gets stored in the main platform which I assume is SSL encrypted. But still… You pay on the widget.

The validation feature on the ad does link to https://secure.adgregate.com, which is good, but any other Flash ad, made by anyone, could link off to secure.adgregate.com in the same way. This is not a solution.

The point is that Adgregate is telling users to ignore web security and that their product gets a pass on the normal HTTPS rules, and it isn’t true. And if and when someone loses their CC# info on spoofed Adgregate ads, all of us web developers will suffer because users will think we’re all insecure.

next, there are all sorts of data feed issues from the merchant’s side. reviews, in stock, promotions, related items, etc.

if you go thru THAT much work to turn your entire website into an ad widget, then you might as well invest that cash in just doing a lot of CPA-ads and offering screaming deals to get people to CLICK ON THE DAMN F-ING Thing.

Let’s not forget, this is an AD after all. And you have this really expensive, high touch, thing called a WEBSITE that is ONLY ONE MOUSE CLICK AWAY!>!>!>!>!>

So why would you spend THIS much energy gilding a lilly when what you really want is to get users to experience the REAL, unconstrained version of the site.

If the user cares THIS MUCH about buying something, clearly they care enough to CLICK ON THE DAMN BANNER. Saving them time inside this super constrained space is a non-starter for most people.

If you got my attention w/ the ad, then you’ve succeeded. So move on. Carrying too much engagement w/in suboptimal spaces actually risks buyer frustration and poor user experience –ON TOP OF the fraud potential.

Clever “concept” — however, it is not well thought through. This is the classic Silicon Valley shoot before you ask questions company I would expect from a mgt team that has never worked in advertising OR ecommerce for any appreciable length.

I feel this is a great idea and will definitely work…

There is also a feature on the widget to validate it and confirm if this an authentic widget.

I have tried few different ways to see if the credit card data is passed to their server in plain text but looks like they are encrypting and making it secure.

So, I would recommend that you should test it out before commenting any bull***t

Hemen

http://blog.red...or_the_web.html

I’m honestly a little amazed that Double Click would do a deal with them when they are actively encouraging users to enter CC#s on insecure, tamperable pages.

@Phil D. The communication to get the Flash widget from Adgregate is secure in the sense that it is private, but the HTTP page that hosts the Flash widget is completely tamperable. So, an evil person could change the HTTP page to point to an evil Flash widget that looks just like an Adgregate widget. That evil Flash widget could send the CC# wherever the evil person wants.