
How I hacked Digg - sant0sk1
http://www.phoboslab.org/log/2008/06/how-i-hacked-digg
======
ejs
I like how people that write these types of stories always justify it as
trying to help out... "In the hope that digg would now listen, I sent them a
second email."

So digg was supposed to jump on this problem and not worry about anything else
apparently.

It always seemed akin to saying

 _"I saw an unlocked vehicle today and I think its important that all vehicles
remain locked. Since they didn't come running out when I told them to lock the
car, I put it in neutral and let it roll down a hill so that they will now
heed the warning"_

While warning about possible vulnerabilities is helpful I have a hard time
believing exploiting them is as well.

~~~
jobeirne
A better analogy would be "I saw an unlocked vehicle today and I think its
important that all vehicles remain locked. Since they didn't come running out
when I told them to lock the car, I opened the car and left a note on the
dashboard stating I'd been in the car."

~~~
DEinspanjer
I disagree. I think the better analogy woudl be: "I saw an unlocked vehicle
today and I think its important that all vehicles remain locked. Since they
didn't come running out when I told them to lock the car, I [opened] the car
and left a note on the dashboard stating I'd been in the car."

"And then I went into the bad part of town and distributed fliers all around
about how the car at the corner of Main and Screwed had been left unlocked for
a while and how it had a great stereo and iPod in it."

~~~
jobeirne
Still a bit off. "[going] into the bad part of town" would imply he went on
some devious message board and there released the information with a flashy
heading.

------
yan
While I support full-disclosure, I don't think the author acted responsibly.
He didn't give them enough time to respond, he didn't make any extra effort to
contact digg's engineers and he also very publically bragged about it.

He didn't try to act modest and he used the buzzword 'hack' which appeals more
to non-technical than to technical people. Publicity stunt if you ask me.

~~~
jrockway
You seem surprised. Digg is one of the most popular sites on the Internet; the
guy is (rightfully) proud that he can make it break horribly.

------
jrockway
This is exactly what happens when you get a bit too excited about mixing
presentation and logic. It's easy for "$foo" to slip into the HTML, and then
your site gets hacked. This isn't really a PHP problem, but PHP certainly goes
out of its way to encourage you to write bad code like this.

~~~
yan
If you ask me, mixing presentation and logic is the core of most web
development. They just missed a lot of opportunities for sanitizing data.

I also don't see how PHP goes 'out of its way'. It doesn't do anything,
neither do most other web languages, you build or use existing frameworks and
libraries to help with such tasks.

~~~
simonw
Here's how to safely output a variable in PHP:

<?php echo htmlspecialchars($name); ?>

Here's how to do the same thing in Django:

{{ name }}

That's the thing that bugs me most about PHP: it's not even a productive
templating language!

~~~
vulpes
I didn't realize Django is a language. Lets not compare frameworks to
languages.

~~~
simonw
I personally think PHP it blurs the line between a language and framework. The
"framework" part is the 20,000 builtin functions and the mechanism it provides
for executing code as part of a dynamic web request.

In any case, my intent wasn't to compare Django to PHP, it was to point out
that PHP's default way of outputting things really does make it inconvenient
to write secure code - hence answering the parent post that argued that poor
security had nothing to do with the language used.

------
Antiglobalism
Who cares about digg? The site is going downhill, thanks to idiots posting
"news" about their latest trip to WalMart and 10 reasons to hate Bush.

~~~
ojbyrne
You've inspired me for some reason to defend the site (I'll admit to bias,
check my profile). Digg is very highly trafficked site, and the content might
not be to the liking of the people here, but it started just like most of the
companies that inspire everyone here that I've interacted with. Along the way
it's done some cool stuff, created jobs for coders and inspired a raft of
imitators.

Don't know why you inspired me to speak up.

And concerning the current problem, avoiding XSS and CSRF holes demand
vigilance, especially with the many, many demands put on programmers at
startups. Perhaps only with php, but I think programmers are often clever
enough to work around almost any constraints, and sometimes they see security
as a constraint. Digg always attracted users interested in proving their
mettle by finding security holes, and as a result the developers are pretty
vigilant about fixing holes.

Concerning the content of digg, well, it's an adventure ;-). As it's grown,
it's left lots of room in its wake for other (maybe better) communities to
develop.

------
metatronscube
Oh!...we have ALL soooo wanted to hack digg, don't get me started on
digg...see if I had a.....

------
muriithi
I thought the title of the article should read "How I cracked Digg". Go away
cracker!

