Oliver Pugh's Interactive Christmas Tree Invites Interaction, But Received a Rickroll

Maker Oliver Pugh has put together the Interactive Christmas Tree, a web-connected smart holiday decoration with user-controllable lights and displays — which was "hacked" almost immediately after launch to Rickroll its owner.

"I built a Christmas Tree where anyone can control the lights and draw pixel art (like [Reddit's] r/place) on the baubles," Pugh explained in the announcement of the tree's go-live date yesterday. The idea: anyone on the internet could visit the website to see an image of the tree and control not only the colors of individual lights but also draw simple pixel art for display on LCD "baubles."

Naturally, it didn't take long for someone to take the concept further. Shortly after launch a trickster visiting the website figured out a way to bypass the pixel-art interface and address the LCD bauble displays directly — and began Rickrolling Pugh in his own home, having the on-tree displays show images of Rick Astley's famous 1987 debut.

"[There was] no server side validation of the colors, there’s a client side color palette you choose from. Whoever this was just hit the server directly," Pugh explains of the flaw. "I forgot the number one rule of always do server side validation."

The Interactive Christmas Tree is now available on Pugh's dedicated website, with the flaw having been addressed; anyone wishing to control the tree, however, is required to sign in via a Google account. Hourly updates of the tree's status are also available on Twitter.