

Ask HN: Has Hacker News been hacked/cracked? - code_devil

It seems like you can change the about field under PG's account http://news.ycombinator.org/user?id=pg using this appjet app
http://notabank.appjet.net/
======
pg
Yes. I made an unbelievably stupid mistake in the code that generates forms
with labelled fields. It was basically functional programming taken a little
too far: I generated the same form whether the fields were editable or not,
and then later if there were no editable fields I just omitted the submit
button. So anyone looking at the source of one of these pages could find a
fnid that would work to modify the object displayed on it. (There's still a
fnid, but it no longer does anything.)

~~~
pg
Actually on closer examination the bug was subtler than that. I did check
whether the incoming request was allowed to modify each field it was trying to
modify. But the code that decided whether a field was modifiable was using a
four variable list to destructure on a five value description of the field.
This caused the variable determining whether a field was modifiable to be
bound instead to the value saying whether or not it should be displayed. Which
meant every field that was displayed was modifiable.

~~~
IHackedHN
That's actually pretty interesting to me. I didn't notice that when I was
looking at the Hacker News code. Perhaps Arc shouldn't allow a list to be
destructured except with a list of the same length? Allowing differing lengths
seems likely to cause subtle bugs like this.

~~~
pg
I generally tried to err on the side of flexibility, and it seemed more
flexible not to require the lengths to match. I could imagine cases where you
might want to use patterns both longer and shorter than the lists they were
matched against. On the other hand, I'm not sure I've ever ended up taking
advantage of this.

~~~
IHackedHN
Maybe you could use something along the lines of &rest to optionally support a
pattern shorter than the matched list?

~~~
pg
You could do that with a dot now. The trouble is, you end up creating a junk
variable:

    
    
        arc> (let (x . y) '(a b c) y)
        (b c)

~~~
IHackedHN
Making users create junk variables seems to me like better behavior than the
current implicit behavior. It's your decision, though, of course.

Anyway, is it safe to assume that you're not going to try to get me arrested
or anything?

~~~
pg
I feel like unnecessary variables are extra bad; in cognitive terms they feel
like they add more than one token to the length of a program.

Do you mean your username is actually descriptive? Since you are obviously a
Lisp hacker, I'd be happy to have a truce. Can you send me an email?

~~~
IHackedHN
Thank you. I've sent you an email.

------
markbao
Whoever did this, please post a Tell HN or otherwise an article on how you did
it. I'm sure others are curious (and would make a good starting point for
patching Arc)

From the source, it looks like there was a vulnerability in which the _fnid_
(I'm guessing a string that authenticates a user to edit an item?) was
searched for on PG's profile page (using the regex /<input type=hidden
name="fnid" value="([^"]+)">/. Then a POST request was made on the standard
profile saving resource news.ycombinator.com/x, with the _fnid_ which
authenticated the user's permission to edit the page, along with the about
text, as parameters.

 _Edit: PG says the fnid just points to a closure on the system. See above.
Which means... all you needed was a randomly generated fnid, and that's all
that you needed to edit anyone's page. Apparently?_

Clever, or just poor authentication design. But that's only one half of the
exploit. How were the points done? I'm going to rule out millions of accounts
created.

~~~
IHackedHN
The points were editable through similar means. Pages like
<http://news.ycombinator.com/edit?id=519433> contained a form that allowed all
of a story's details -- including title, url, and score -- to be edited. Just
like with profiles, the story editing forms didn't have fields for non-admins,
but just like with profiles, it was possible to submit a request with the fnid
from the form regardless of admin status.

------
joshuaxls
Yes, it was hacked. Here's the original post from a lesser hack earlier today
with pg's response containing the "not a bank" quote:

<http://news.ycombinator.org/item?id=518752>

~~~
nx
Okay, trust doesn't work as well as correct security measures. That's sad, but
true.

------
Spyckie
<http://source.notabank.appjet.net/>

~~~
kqr2
Just in case the original app gets taken down, I copied the source to
pastebin:

<http://pastebin.com/f1a67398f>

------
GeoJawDguJin
There are a lot of bogus links showing up on the front page with obviously
falsified vote counts (numbers starting with the digits "1337"). I'd say,
yeah, it's been seriously compromised.

~~~
jwb119
Re: 1337 <http://en.wikipedia.org/wiki/Leet>

~~~
The_Sponge
Yes, that's the joke.

------
pelle
I caught it here:

<http://skitch.com/pelle/beksu/hacker-news-hacked>

------
unalone
Yes, it has been. Looks like the site had some major vulnerabilities.

I emailed PG, if he didn't know already, and slowly some of the things are
being fixed back. PG's account is still vulnerable as of this posting. EDIT:
No it's not.

------
pmikal
Certainly seems like it.

------
sho
Dodged a bullet there I'd say. At least your "hacker" seems to be a reasonable
guy. Seems like he could have done a _lot_ more damage. I hope your backups
are up to date and verified recoverable; a more malicious intruder might not
be so kind.

While I appreciate and admire the sentiment that this is a "community of
trust", security still must be taken seriously. There are plenty of guys out
there with the ability to pull such tricks; they may not care about trust, and
the website is accessible to anyone, good or bad.

------
chanux
Of course it was hacked... By the creator of it :). That's why other hackers
find it interesting.

For the question whether it's cracked... I dunno but nothing is perfect.

~~~
chanux
Looks like the hackers don't understand that Hacker News is a nice hack
altogether.

~~~
markokocic
Nice and insucre one.

Anyways, the fact it is hacked drove some nice traffic to HN from reddit :)

