The New York Times and Pinterest Have a Hidden Message for Developers
Want a job? Just crack the code.
Want to separate the wheat from the chaff when hiring your company's next web developer? Try hiding the job posting in the code of your website.
Web developer Troy Hunt was teaching a security workshop recently when one of his students noticed that Airbnb uses this approach. They found the message "X-Hi-Human: The Production Infrastructure team added this header. Come work with us! Email firstname.lastname@example.org" hidden in the company's response header.
Hunt was curious if this was unique to Airbnb, so he checked to see if any other popular web platforms did the same thing. Sure enough, he found a big "You're reading, we're hiring" message in Flickr's source code:
After Hunt blogged about his findings, his readers commented revealing a bunch more sites that use the same tactic, from the New York Times:
I dug a little further and found some more examples. Hipchat does it:
and so does Pinterest:
As you can see, a lot of the messages include old-school ASCII art renderings of the company logo and most of them point to a general job board. Of course, it doesn't take particularly superior coding skills to locate these Easter Eggs (case in point: I was able to do it in about 0.3 seconds), but it's a good way to catch the attention of people who are obviously already interested in a site's backend.
It also calls back to the long tradition of using coded or secret messages to attract the attention of people who are crypto-curious. There's the now-famous Daily Telegraph timed crossword puzzle that helped British military intelligence identify possible recruits for the Bletchley Park team that eventually cracked the Enigma code. And they still use this tactic today: in 2013, GCHQ, the UK's answer to the NSA, cooked up a cryptogram puzzle that they used to enlist potential codebreaking employees.
It makes sense: a good web developer or secret agent code breaker is naturally curious, loves a challenge, and likes to see how things work. Now if they start to combine the two and embed cryptograms in a site's code, they'll really be upping the ante.