Easter eggs are nothing new in technology, especially in software. They started out in entertainment in the 1970s and have remained part of pop culture today. Easter eggs in the digital sense, particularly those found in software and applications, aren’t as popular as they once were, but developers are still in the habit of looking for ways to spice up their code and leave a little piece of themselves behind. Easter eggs are intentionally hidden messages or features that occur in response to a set of secret commands, and the results can vary from a simple (and often silly) message or an image to a page with the programmer’s credentials. While Easter eggs are fun, they do bring up an interesting debate about the possible security implications that may arise before or after implementation.
Hidden Easter eggs aren’t meant to be discovered easily by the average user – hence their name. And every now and then, a user will accidentally stumble upon an Easter egg and immediately assume that they have been hacked. In fact, WordPress users are often left with the impression that they’ve been hacked, thanks to one clever developer and his “Matrix Easter Egg.” In this clever code, site admins who poke around with post revisions on WordPress are met with a cryptic message from the popular Matrix movie. Reportedly, if the Easter egg is activated, the screen goes black and the message “the Matrix has you” appears – enough to frighten anyone.
Although the original intent is harmless fun, it’s not entirely surprising that this causes a state of alarm for users who don’t understand the concept of Easter eggs. While some software companies like Microsoft have a strict policy against Easter eggs and others are entirely against the idea, open source project WordPress is comprised of creative developers who may slip an Easter egg or two into their code. In WordPress, the plugin The Konami Easter Egg even allows admins to incorporate hidden videos or messages within their websites.
While all fun and games, Easter eggs can pose real security concerns. They do have the potential to unlock backdoors and invite hackers in to cause damage. In fact, there have been several documented cases of Easter eggs causing tangible harm. It may even be the case that there is a bug within the original Easter egg due to poorly written code that ultimately creates a security vulnerability or results in the loss of customer data.
As a result, many proponents of Easter eggs including admins of WordPress may be in agreement with these informal codes of conduct when writing Easter egg code. Easter eggs should:
- Not confuse the user
- Not cause harm to the user
- Be consistent with the company voice or brand, if associated with one
- Follow a normal review process
- Consist of quality code
- Follow normal security review since poorly reviewed code can open unintentional backdoors for hackers to exploit
There are two sides to this debate when it comes to whether developers of a website should have the freedom to insert Easter eggs into their code. Is it unprofessional of the developers? Is it annoying to users who don’t understand Easter eggs? But what if the developer aims to insert something malicious into the code? These are all questions that must be asked when considering the debate.
It’s very much possible that you’ll stumble across an Easter egg and not even realize it. If you are confused by a potential Easter egg on your favorite site, contact the website administrator and find out for yourself. You might even end up with a treat! (FYI, WordPress’ terms of service page has a special treat if you can find their hidden Easter egg). What side of the Easter egg debate are you on? Let us know by dropping us a line at firstname.lastname@example.org.