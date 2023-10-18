Sqword is a tremendously simple letter game. It is played from the browser and involves adding the letters obtained to a 5×5 matrix to form as many words as possible. In line with the success that was Wordle, every day the deck of letters that will appear changes, so every day there is a new game.

Its developer, Josh C. Simmons, created it with his friends solely for fun, without any way to monetize it. No ads or micropayments. However, One of his colleagues discovered that searching for “Sqword” on Google brought up several third-party results, unknown people who simply inserted the game into an iframe and surrounded it with ads to monetize it.

Revenge is a dish that is served cold.

The double edge of an iframe

“This made me more angry than necessary,” Simmons says on his blog. “Not because Sqword is a cash cow, we don’t run ads or make money with it, it’s just for fun; but because it was a passion project with friends, something pure and intentionally free to play WITHOUT ads,” he adds.

“It’s against my spirit as a developer, there are banners and pop-ups everywhere.” The way they see it, a game must be free, or paid, making its exact model clear from the beginning.

Game interface. Image: Squareword.

What did Simmons do to respond to those who had made the move to embed the game on their own page, to monetize it? A subtle change to the game code. If the game detects that it is being embedded in a iframeit would not show its usual interfacebut the famous Goatse image.

This is what the code looks like right now. Image: Squareword.

Goatse, if you are not familiar with the term, refers to a famous website created in the late nineties that lasted for years as a joke on online newbies. “Do you want to have more RAM? Download it on the Goatse website” was a prototype of a joke from this website. When the victim went to this website he found a tremendously unpleasant image. That same image is what the game shows to those who go to these third-party websites to play Sqword.

As we have been able to verify on several websites of this type, the code does indeed work. We do not recommend sensitive people or anyone who has just had breakfast to do this same check.

The lesson that Simmons leaves is clear: “If you are using an iframe to display a site that is not yours, even for legitimate purposes, you have no control over that content, it can change at any time. One day, instead of looking in an iframe, you could be looking at a completely different type of portal.” That has happened.

Here you can see some of the results shown, properly modified to be less disruptive. Simmons has added the text “stealing other people’s code” to the image.

“The mature and responsible thing would have been to add a content security policy to the page,” Simmons said before jokingly admitting that he is not a mature person, which is why he made the Goatse decision.

Disgusting aside, Your lesson is absolutely valid and current, Whether it was the Internet of the nineties or today: if you simply embed code from a third party, you have no control over it, and the content can change at any time.

In Xataka | Miniclip was close to dying due to the rise of the smartphone. Now he is a giant thanks to him.

Featured image | Sqword, Goatse, Xataka.