
Faking votes on Hacker News - critic
http://xach.livejournal.com/214252.html
======
pg
Not cool. We deliberately don't put that much effort into security, because
this is a community based on trust, not a bank. And by choosing to publish
this rather than e.g. simply sending me an email about it, he's inviting
people to do this.

~~~
erlanger
Hilarious. The head of "Hacker News" is mad because his news has been hacked.

~~~
sgrove
It was an interesting manipulation of the system, but as pointed out it's a
dangerous slope. A community based on trust will sour very quickly if a lot of
these tricks pop up.

Sharing the trick is entirely reasonable: small hacks like this are something
to be proud of, given that you've acted in a reasonable way (e.g. contacted
the site and informed them before telling others, not actually using it game
the system, etc.)

Could have gone that way. Didn't.

~~~
erlanger
Hackers should know how to secure their own website. Between this and the JS
injection hack (from the same fellow), it's clear that security is porous at
best.

~~~
bad_user
As a kid I never understood why some of the kinds made it a hobby to trash the
sandcastles built by the others. It was an interesting phenomenon to watch :)

Maybe they thought that if they wanted to, they can do better, but they never
did.

~~~
erlanger
Or maybe it's a cop-out to say that you didn't care about your sand castle's
security in the first place. If you knew of a way to keep it from getting
knocked over, you'd use it.

~~~
run4yourlives
Being an asshole is just that - being an asshole.

It doesn't really involve anyone else.

------
ericwaller
It's worth having a link to <http://en.wikipedia.org/wiki/Cross-
site_request_forgery>

Something to think about for your own applications

------
gojomo
You wouldn't necessarily need someone to volunteer their username to make this
work. This unfixed and ancient (2002!) browser vulnerability leaks
information, via the styling of 'visited' links, about other URLs you've
visited:

<http://seclists.org/bugtraq/2002/Feb/0271.html>

In many cases, the only person who will have visited all of...

<http://news.ycombinator.com/threads?id=USERNAME>

<http://news.ycombinator.com/submitted?id=USERNAME>

<http://news.ycombinator.com/saved?id=USERNAME>

<http://news.ycombinator.com/user?id=USERNAME>

...is USERNAME. So another exploit -- still sneaky but not quite fraudulent,
and not especially unique to HN -- would be to design an offsite page that
does one or both of (1) greets HN users by name upon their visit; (2) logs
which of some chosen set of HN users has visited the page.

~~~
tlrobinson
True. You'd still need to brute force USERNAME, but it's much faster to do
that in JavaScript than issuing a million HTTP requests.

~~~
gojomo
If by 'brute force' you mean 'iterate through all legal usernames', I hadn't
even thought of that!

I would expect someone instead to pick the leaderboard, or some other extant
set of names (eg: Google [site:news.ycombinator.com inurl:user]), and just
iterate over those.

(Sad aside: try that query at Google or Yahoo, and review the top 100 results.
An awful lot of the usernames ranking highest are drug names.)

~~~
tlrobinson
Yeah, I meant brute force over all registered usernames. I wrote a page that
used the vulnerability you mentioned to check to see if a user has visited any
of the top 100,000 websites: <http://tlrobinson.net/misc/history.html> (it
seems to be broken now though) and it can churn through 100,000 tests in a few
seconds.

------
r11t
I fell for the trickery(admittedly my mistake for trusting an unknown website)
and submitted my user name, expecting to receive a graph like the page
promised.

However, as pg already pointed out it was totally uncool not notifying him
before making it public. I am in the support of full but responsible
disclosure. So maybe he could have published it after informing pg and the
issue was taken care of.

~~~
dag
Taking it public _is_ a fix. Now that this information is public none of us
will give out our usernames to external websites, thus ending the problem. In
effect Xach's could decide between emailing someone hoping they fix the
problem, or just fixing it.

I found this whole event funny. I'm also amused that people reacted as
negatively to this prank as middle managers at my old $MEGACORP job would.

~~~
critic

        Now that this information is public none of us 
        will give out our usernames to external websites, 
        thus ending the problem.
    

Correct me if I'm wrong, as I'm NOT a web guru, but I think there are three
ways to get the user names, and it's enough if this only works in some cases:

(1) Brute force (look at who's currently active on the site)

(2) Look at browser history (HN users have to constantly look at their own
profile to check for replies, and the URL contains their user name)

(3) Send whatever request the browser sends to HN normally, and gets the user
name embedded in the page.

Again, I don't know enough about browsers/JS/HTTP/HN to know if any of the
above would work. I'm just saying I'm not sure that explicitly giving out your
user name is required for this.

Edit: typos

------
asdflkj
Some context:

[http://www.reddit.com/r/programming/comments/67gu9/take_the_...](http://www.reddit.com/r/programming/comments/67gu9/take_the_arc_challenge/c032kur)

------
ajju
Well done, you proved two things: 1) that you can write script that does an
http get and 2) that you should not be trusted.

Was that a net gain for you?

~~~
critic
For the record, I'm not xach. I just saw this on Programming Reddit.

Edit: link
[http://www.reddit.com/r/programming/comments/854w0/faking_vo...](http://www.reddit.com/r/programming/comments/854w0/faking_votes_on_hacker_news/)

~~~
ajju
OK. I direct my comment at xach (since I can't edit it any more).

------
run4yourlives
What's really stupid about all this is that I give fellow users on this site a
little bit of trust because I know that many times, they would like advice or
help with their projects, or conversely, they have stumbled on something I can
learn.

So I don't worry too much about giving my user name out, or entering it into
other HN members' apps. I did it, and I'm not worried about it really. It's
not like run4yourlives is my bank id or anything.

What bothers me about the whole thing though is that I've now had it confirmed
that HN is too big to trust anymore. Whereas before, there was a sense of
kinship with people here - none of whom I've ever met - I now have to worry
that some of them are just losers looking to exploit my trust.

That's worse than off topic posts and low quality comments really. It's an
attack on the fabric of the community, and the value of the users. It's clear
now that I must treat HN as I would treat reddit or digg or any other room
full of potential idiots; people who would much rather exploit trust than
build it.

Sad but inevitable I suppose.

~~~
l0gic
Honestly, what have you lost? Nothing. The truth is that you shouldn't be
trusting a bunch of people you've never met ANYWAY. Nobody's asking you to
give them your address or mother's maiden name, but you wouldn't give those
out if asked by a fellow member anyway. You should always be wary of sites
asking for your information for whatever reason, and just because you trust
some of the people on HN doesn't mean there aren't tons more on here that
could possibly deceive you.

People seem to react to this like like the record companies reacted to
Napster. "OH NO! IT'LL KILL US ALL! Screw changing our ancient business model,
we'll just SUE 'EM!"

Instead of updating the way you think about HN (and other sites) you choose to
put down the person who enlightened you and cast him out as some sort of
heretic.

Hackers INVENT, hackers BREAK STUFF, and hackers BRING OUT THE UGLY! Why is
Xach getting martyred for being a real hacker?

Besides, he's giving HN huge publicity. Jeff Atwood twittered about this
thread.

~~~
asnyder
I don't know whether you've been paying much attention to some of the threads
lately but HN is trying to maintain a particular feel. It's huge publicity
that begins to erode HN and turn it into something that many of us would
rather avoid.

~~~
l0gic
"Huge publicity"... but it's already publicly advertised in many places, many
big names are blogging/twittering about it, did you really expect everyone to
ignore it? If it's got such a good feel to it, why can't everyone else get in
on that? So far all I've seen is elitism, both in comments I'm reading and the
replies to my own (first) comment. Hackers aren't supposed to like elitism.
We're supposed to promote the sharing of knowledge, information, freely and
openly, you know... because that's how the world should be. Or so we say. But
I haven't seen that here. I've seen the typical elitist social community, with
the people who've been here "longer" running the show aside from the admin.

Decided to end my thought there, it was running a little long...

------
tptacek
Am I wrong, or is this just saying HN is CSRF-able? There are commerce apps
that are still CSRF-able. And this is a comparatively clumsy attack, since
there's no trivial way to get your username blindly.

~~~
tlrobinson
Yes, I think it's considered CSRF, but indeed it's not as bad as it could have
been, since it still requires you know the username of the logged in user.

It's also nowhere near as bad as the state of the Twitter API and apps, which
require a username _and_ password. People don't think twice about providing
unlimited access to their Twitter account to random websites. Hopefully the
OAuth API will fix that.

@pg: I think one solution would be to reject any vote requests with a Referrer
header other than news.ycombinator.com

~~~
tptacek
Referer is totally insecure.

If all it is is votes, I say the right solution is "let it go".

~~~
tlrobinson
AFAIK, checking the Referer header actually works for preventing CSRF because
you can't modify it for the types of requests that work cross domain, i.e.
loading <img>, <script>, etc tags, or posting forms.

~~~
tptacek
Your assumption here isn't crazy, but it depends on the browser, and you
shouldn't rely on it.

