WTV HACKING ARCHIVES: OLD TRICKS
Updated 7-30-99
This page, 1999 ulTRAX@webtv.net.


Please notify me of any additions or corrections.

NOTE: This section is dedicated to all those Old Tricks we once used, but no longer seem to work. Most Tricks were posted, some tricks were originally found on other's HPs. If this occured, I have given note of that. But, posting a trick on a HP may still leave a question as to who originally discovered the Trick. Please write me if you know of any other Old Tricks, or to correct any mis-information contained here. Thanks! First some background...

DISPLAY TAGS:WTV uses a number of custom commands that disable various features in the WTV browser. They can prevent a page from being sent or saved.... prevent a page from showing up in the RECENT cache, disable the OPTIONS panel etc. It is because of these Display Tags that some of the override tricks were necessary.

META tag: was essentially a automatic timer that set in motion a predefined action.... It could take one to a web or WTV URL, or set off a client poweroff code... and become a mailbomb. The first use of this command I was aware of was in February 98 by someone named Spaceguy, or somesuch. The META command has not been supported since the 1.4/2.2 Summner 98 Upgrade.

WTV URLs: Back in late winter 98 the best WTV Tricks and Secrets Site was WEBTV Madness. But, with only 300 or so URLs and Commands, there were plently more to find... such as codes for Chat Rooms, NG articles, the HD, etc. To get these WTV URL one had two choices: either use Javascript in the GoTo box (again stopped by the Summer 98 Upgrade), one could use various on-line utilities that had a referrer. Unfortunately, sites like the Starblvd Transloader and MadRabbit did not work with the Plus until Summer of 98. Both had changed from using the document.referrer javascript command to history.previous.


JAVASCRIPT IN GOTO BOX: ?/prehistory
Apparently JS was available in mail and NG postings until the June 97 (1.2) Upgrade. It was also available in the GoTo Box. To access a WTV URL, one entered the command: javascript:window.open("wtv-cookies:/list"). To access information about a page, say its URL, one used JS alerts: javascript:alert(document.location). As part of WebTV's eternal attempt to prevent us from direct access of WTV URLs, JS was removed from the GoTo box with the Summer 98 Upgrade.


NG ACCESS WITH SURFWATCH ACCOUNT: from WebTV Madness Site.
Even in January of 98 this trick already was obsolete. It simply used JS in the GoTo box and attempted to direct access a NG by name.

javascript:window.open("wtv-forum:/news?group=NAME")


ATTACH BUTTON ADDRESS: from WebTV Madness Site/January 98
This is the URL from the Attach Button. By changing the "true" to "false" at the end, it will become a "detatch" button. (I never had any idea what this was about.)

client:submitform?name=sendform&submitname=attach&submitvalue=true


DEMO: December 97?
Once, DEMO was a fully functional WTV account. Access to DEMO seems to be a function built in to all WTV boxes. I can not get any answers from WTV about this... and I'm assuming WTV Retail Reps used a Power-Off code to access DEMO. How we accessed it apparently was not what WTV intended. The earliest referrences to DEMO I know about were from mid-December 97. Please correct me if I'm wrong.
For more on demo please go here. The following is the old way to get to DEMO:
from your WTV HP, place the cursor on "switch users".
Hold the GoTo button down.
As the GoTo panel goes down, press"return".
The GoTo box should pop back up just as you are going to the Main User Screen.
There, simply enter wtv-tricks:/home, and
hit return.
As part of WTV's first DEMO crackdown in late January 98, the kiddie filter was put on. We lost access to Mail. That was no obstacle since we could still access it using the wtv-tricks:/mail command.


EXTRA USERS: ulTRAX/January 98
I did not discover the code which originally came from the accounts section. I was given the code by LineNoize for another prupose... that was to see if I, too, could add DEMO to my list of users as LineNoize apparently had. When I dicovered I could add a 7th user I told no one, but began a search for a "user to user" shortcut code. A one point I had nearly 20 users.... but with names like Pukehead 1-10, that's nothing to brag about. at the time I was attempting to create as many new users as quickly as I could to study the userID numbering sequence. The code is:

wtv-setup:/validate-add-user-communication-access?user-name=NAME


NOSAVE OVERRIDE:
Often there were HPs (or even WTV pages) that used the NOSAVE Display Tag. One way around it was to manually open the SAVE Panel using JS in the GoTo window.

javscript:window.open("Client:OpenSavePanel")


PLUS PW BYPASS TRICK: AlphaX/March 98
I stripped down AlphaX's complicated original technique.
When one was at a PW page of another user on their own box... one simply hit "view" to go to TV HOME. There, one simply hit WEBHOME.
One would end up on the HomePage of the PW protected user.


GETTING USER & SUBSCRIBER ID#s: ulTRAX/March 98
I know I can't have been the first to see these IDs, but I may have been the first to realize the opportuity (as well as the danger) in getting hold of these ID numbers. WTV negligently allowed its mailserver to include User and Subscriber ID#s as well as one's Previewer Status as part of Returned Mail Reports.... specifically when a mailbox was full. These numbers were located in the "Details" section of the report. Of course this meant that if one wanted a person's ID#s, all they had to do was bomb a mailbox until it was full. When I first discovered this I did not post but instead wrote to every WTV person I knew, from Perlman to WeCare.
This practice ended with the Summer Upgrade but IDs again started showing up with FUNK, then again in January 99... and again in June 99 during the Grunge rollout. Given that these numbers were critical to hacking accounts, WTV should have taken more care with them.
The code looked like this:

<"JoeBlow?user-id=1234567&subscriber-id=1112345&category=green"@postofice-bsg.bryant.webtv.net>.

Note: the mailserver would probably change each time one logged on.


GETTING PREVIEWER GROUP STATUS: ulTRAX/March 98
Part of the above trick was the ability to determine whether one was a Previewer, and if so, what color test group they belonged to. The code looked the same as above except for the addition of a color code:

<"JoeBlow?user-id=1234567&subscriber-id=1112345&category=yellow"@postofice-bsg.bryant.webtv.net>


HACKING PW PROTECTED ACCOUNTS: ulTRAX/May '98
This is more a technique than a Trick. It could only be used if one had first hacked another's PW protected account. That entailed using rcpeases's hack code then AlphaX's PW bypass Trick.
A curious thing occured when one hacked a PW protected account on another box. One did not end up in their account, but seemingly in a brand new account with the victim's name. There was no mail or FAVs. One got all the tutorial messages meant for a new users.

To get to the real account, one then had go to the victim's account section and delete their PW, then rehack the account. Needless to say, the victim would soon realize something was wrong when they found their PW deleted.

This worked until mid-May 98 when WTV made some server-side adjustments to prevent accounts from being hacked.


NG CHAT WORMHOLES: ulTRAX/March 98
This trick was simply used a combination of a META tag and the URL for a specific Chat Room at TalkCity. Since the post was crossposted to 8 NGs, anyone in any of those groups opening the post would be transported to a Chat Room filled with strangers.

<META: http-equiv="refresh" content="0;=wtv-chat:/MakeChatPage?host=chat.talkcity.com&port=6667&channel=HTML_CLUB">


POST EMBEDS WITHIN POSTS: ulTRAX/March 98
This trick used, apparently for the first time, the direct URL for individual NG posts. Once the code was known.... one could embed one post (or 9!) in another, or even META someone over to a post in another NG. I'll include the code here when I find it.


DISAPPEARING MAIL: ulTRAX/April 1, 98
As could be expected, this April Fools trick was not universally appreciated. It used a META tag so as soon as someone opened a post... they briefly saw a message saying "kiss your mail goodbye", and were transported to their own mail page which anounced their mailbox was empty. Below is the stripped down version of the original code. Apparently it was that last underscore that confused the browser. This trick still works but the page that is created differs from that of a truly empty mailbox.

<META: http-equiv="refresh" content="0;wtv--mail:/listmail?mailbox_name=mbox_">


MAIL POPUPs: mattman69/speed-exp/April 98
I'm fairly sure Mattman was the first to use these annoying codes, if not he certainly was one of the masters of the popup. The original popup code came from the mail page itself. When one sends a letter, the mailbox animation popup comes up. I first remember seeing this code mid-March 98.
Among other things, Matt discovered he could use gifs from other sources. Here's one of Matt's old codes.

<META: http-equiv="refresh" content="0;=client:showalert?message=Hi There!&image=http://anglefire.com/imagesimages3/greenguy.gif&action=submitform"> Speed-exp discovered he could add additional effect. Here is one of his original codes:

<META: http="refresh" content="0;url=""> url=client:showalert?message=<textarea>This%20space %20available</textarea><marquee>the web gets <sub>smaller...</sub></marquee>&image=http://members.tripod.com/~speed_exp/bans/stvngold.gif&action=submitform">

. Popups (mercifully) died with the Summer 98 Upgrade.


HACKING WTV ACCOUNTS: rcpease/April 98
While others were hot on the trail of being able to hack accounts, rcpease apparently beat us all by 3-4 weeks only no one knew it. To hack accounts he needed a valid User ID#. This was used with the end of the wtv-head-waiter:/login-stage-two code while going to DEMO. Apparently all that was necessary was the section /ValidateLoginName&user-ID=xxxxxxxxx This took Plus users right to the HP of that account. Rcpease contacted me on May 6 because of the Hacking Contest I was running. After he demonstrated that it worked, we both agreeded WTV had to be told. The announcement that hacking accounts had been possible was withheld until after the fix was in.


BREAKING 15 CHARACTER NICNAME LIMIT (June 98): EekThaKat & SyKod-eC (aka RingMazter)
writes: I was the first to use this code, & post using [the nic] abcdefghijklmopqrstuvwxyz@webtv.net but about 10 minuets later, Eek posted how to do it.

From EekTheKat's HP: EEK instructed that one should fill in all the [blank]info.... and to use this code in one's sig.... something no longer possible.

<a: href="wtv-setup:/validate-add-user-communication-access?user-human-name=[first]&user-human-name-last=[last]&user-name=[name]&user-password=[password]&user-password2[passwerd]&restricted-web-access=unrestricted-access&restricted-chat-access=unrestricted-access&email-access-denied=&Continue=Continue">Add User</a>


MAIN USER PW BYPASS: from EekThaKat/June 98
Simply use this URL entered beyond client:relogin wtv-head-waiter:/login-stage-two?new_registration=[USER ID GOES HERE].


SECONDARY USERS PW BYPASS: from EekThaKat/June 98
This method may no longer work. Again, use this URL in the credits button:

wtv-head-waiter:/check-tellyscript?next-url=wtv-head-waiter:/ValidateLoginName%3Fuser-id=[users id]%26target-url=&dummy=


"LISTING" IN SEARCH BOX TRICK: ummbagumba (sp)/July 98
This trick simply used a "LISTING" or "XMP" commands in a search box to reveal the HTML code of the resulting search page.


LETTER CODE TRICK: rcpease/July 98
Rcpease adopted the "LISTING" trick above and used it in the Mail Setup area in the name box. When one went back to their own account to "write" a letter... all the letter's HTML code was visible. This trick was discovered as 1.4/2.2 were being introduced and did not seem to work with the older Clients.


RETURNED MAIL REPORT CODE TRICK: rcpease/August 98
This Trick simply used a XMP command in the subject area of a letter that was to be bounced. It revealed most of the code that went into a Returned MailReport. I further adapeted it with XMPs in the body and sig which, I believe, for the first time showed the Get-Signature command.


IP SWITCH USERS TRICK: ulTRAX/August 98
This was an accidential discovery using the Client:ShowService IP list discovered at WTV-Tricks. Entering the IP alone did nothing, but adding an HTTP to the front got a response from the WTV servers: one was kicked back to the Main User Screen.


JAVASCRIPT CODE READER: Idiotic/August 98
This ingenius script gave us access to JS again. It was originally writtn to be used in the NG Search Box. It used variations of the JS commands we once used in the GoTo box. I made a few slight modifications to enlarge the textboxes. Initially, this code only worked with Plus Boxes. Like the NG Search Box trick... this, too, required a blank space, then a search topic

<form>Javacript:<br><input id=js rows=2 cols=60 onChange="txt.value=eval(this.value)"><br>Resuts:<br><textarea id=txt rows=2 cols=60></textarea><br>Notes:<br><textarea rows=15 cols=60></textarea></form><iframe id=ifr src="URLgoesHERE" width=400 height=400> n2play

This code apparently had been adapted for Classic boxes as well....


TECH INFO FEEDBACK: ulTRAX/October 98
This trick blended a TECH INFO code with a HREF command. In the examples below for Text Size and Call Waiting.... both provided feedback on current settings and provided the link to get to the pages to adjust these settings if need be. For example, for Text Size all one saw was text: "small", "medium" or "large". One then clicked to go directly to the Text Setup page. (NOTE: some brackets have been removed from the code to prevent substitution with dummy-bad-links. Tech codes must also include semi-colons.)

a href="wtv-setup:/text">--text:&fsize--</a

a href="wtv-setup:/phone-call-waiting">--phone:&nowait--</a>


ACCESSING DELETED USERS: mattman69/Dec 98
This trick only worked a few times. Apparently WTV stores the files of our old users and we may request to have them back at any time. When Matt heard about this he tried the old Hacking Code while in Demo. He used the User ID of some old deleted users and was able to gain access. But this trick did not work for very long.

At this point it's unclear just how long WTV stores old user files... either those users who have been deleted, or those accounts that have been TOSed.





~ INDEX ~