Major news sites serve porn after vid.me domain takeover

Major news sites including The Washington Post, New York Magazine, and HuffPost, saw their stories now displaying porn videos instead of the once-embedded intended ones.

The fiasco happened as prominent websites relied on the domain vid.me to embed streaming videos in their articles.

The vid.me domain has been defunct for about four years and has had its ownership transferred over time to different parties.

For those who prefer to watch… ‘Right in front of my salad?’

Websites of major news outlets such as The Washington Post, New York Magazine, and Huffpost, among others, shocked readers when their stories displayed NSFW videos, with no relevance to the story.

As seen by BleepingComputer today, unfortunately, some news sites are still stuck with this mess:

vidme embed example
An example of a news story still showing embedded NSFW videos replacing the legitimate ones ​​​​​

The incident, first reported by Motherboard, was spotted yesterday by a user DOXIE, who has shared many more examples in their Twitter thread:

 

How did this happen?

Essentially, the affected sites had been relying on the video streaming provider, Vidme, to embed streaming content.

To do so, websites would use HTML iframes to display the videos hosted on the vid.me domain:

iframe embedding videos
HTML iframe would previously display a legitimate video (BleepingComputer)

However, Vidme has long been defunct. 

In 2017, Vidme shut down its operations with vid.me’s homepage showing a farewell message:

vidme site farewell
Farewell message previously displayed on Vid.me site since 2017 (BleepingComputer)

A blog post followed stating Vidme had been acquired by Giphy. Any hosted videos were scheduled for deletion on December 15th, 2017.

In practice, this meant, those iframes embedding hosted videos would have ideally shown nothing or, maybe an error message under usual circumstances.

But, according to WHOIS results, vid.me domain’s ownership and/or registration was updated sometime this month.

DOXIE hypothesized that the domain had expired and was taken over by a porn company, “5 Star HD Porn” which now redirects all vid.me links to the porn site.

As such, all of the websites previously embedding content from Vidme via iframes were now serving hardcore porn.

Some have cheekily surmised if this counts as a supply-chain incident.

5 Star HD Porn who now apparently owns the vid.me domain, did not respond to Motherboard’s request for comment.

Suffice to say, if you were previously using Vidme to host content on your website, it makes sense to purge any and all links to the defunct service.

Readers who prefer to block content from this domain from appearing in unexpected places can add vid.me to their system’s hosts file, as suggested by tech lawyer Neil Brown.

There’s a tutorial on BleepingComputer explaining how to accomplish this. Adding the following line to your hosts file (without http://) should suffice:

127.0.0.1 vid.me