Be careful what you inline: Defunct video-hosting domain used to inject smut flicks into news articles, more

From vid.me to f&*% me?!


Updated The domain name of a now-defunct website used by news publishers and others to inline videos in articles has been configured to inject porn into those pages.

Vid.me once upon a time hosted user-submitted videos, and allowed them to be included in webpages using HTML <iframe>s. Websites thus could embed those videos in their coverage, and have the content served from vid.me's systems.

In 2017, vid.me closed its doors, and was acquired by another video-hosting biz called Giphy, which Facebook is trying to snap up.

Sometime after vid.me shut down, the domain was updated so that it pointed to the very NSFW website of Five Star HD Porn, the name of which should give you an indication of the nature of its content. It is likely the domain was changed at the start of this month, judging from its WHOIS records.

And so, as spotted by Twitter user dox_gay today, and first reported by Vice, webpages that embedded those vid.me videos – including articles published by the Washington Post, New York Magazine, Fox Sports, Huffington Post, and others – ended up inlining the homepage of the hardcore porno website, and thus displayed thumbnails of and links to X-rated material.

Here's what one of those webpages – taken from Fox Sport's dotcom – looks like as a result of this mess, at time of writing, censored as necessary by us:

Screenshot of a Fox Sports webpage with the vid.me embed in it

Inline out of line ... The now-NSFW article on Fox Sports as a result of the vid.me brouhaha. Click to enlarge

Some of those aforementioned publishers, particularly the larger ones, have scrambled to remove the now-adults-only vid.me <iframe>s. What probably happened is that vid.me expired or was sold on, someone snapped it up, and just recently its DNS was updated to serve the porn site.

Though Vice observed that this affair shows the "internet is a collective hallucination that is fading away thanks to link rot," we'll go one step further: it's a reminder that you inline third-party content on your pages at your peril. Whatever you think is in that <iframe> now, it may not be there in future. There may be something from your worst nightmares.

No one at Giphy nor the porn site was available for immediate comment. ®

Updated to add

A person in the know told us Giphy let the domain expire after buying vid.me, and so it ended up in the hands of someone who pointed it at the porno site.

PS: Yes, El Reg inlines some outside content, such as Twitter posts. But arguably Twitter's a safer bet than a three-year-old startup like vid.me was.


Other stories you might like

Biting the hand that feeds IT © 1998–2021