
Show HN: A Way To Hack HN's Karma - GreekOphion
I submitted a link, when someone clicks on it I get an up-vote for this article.<p>I don't want people to misuse this I just want to bring attention to this problem.<p>This is the link I used that up-votes this: http://news.ycombinator.com/vote?for=3742742&#38;dir=up&#38;whence=%6e%65%77%65%73%74
======
ccarpenterg
Nice hack! We should call it 'Same-site request forgery'.

------
ssclafani
I emailed PG about this a week ago, his response:

"It just seems to."

Normally loading the vote URL directly doesn't work because votes that don't
have a HN referrer don't get counted. By submitting the URL to HN and getting
people to click through a HN referrer gets sent making the votes look
legitimate.

------
citricsquid
I had always assumed this was impossible because my votes have an auth key
attached. Does this mean that the auth key is not used and is just there to
trick casual observers into thinking there is security?

    
    
        vote?for=3742852&dir=up&by=citricsquid&auth=478876d54494692615d9f2ca184fa9fab2fb9ff7&whence=%69%74%65%6d%3f%69%64%3d%33%37%34%32%37%34%32

~~~
jpulgarin
That parameter is absent when you're not logged in.

------
carbocation
PG could start using POST & CSRF protection to lock this down. Or we could
just avoid doing this to each other.

~~~
daeken
CSRF protection is the right way to solve this. Switching to POST doesn't
provide any real protection; an attacker can simply put up a form that
autosubmits to the endpoint with POST.

~~~
Bakkot
CSRF couldn't stop this particular attack, since it's not actually cross-site.
You need to guard against both.

~~~
daeken
I think you misunderstand what CSRF protection does. It doesn't have anything
to do with same-origin security, but rather preventing request forgery attacks
in general. If a CSRF token was present on requests and was tied to a user's
session (as is standard), then that would absolutely defend against this
attack.

~~~
marshray
Wonder if you could get around that by submitting a javascript: link.

~~~
daeken
As far as I can tell, only http(s) links are accepted by the submission form.

------
deadmike
An interesting bug, but if anything won't it just earn you fake points on a
website, while making everyone on that website hate the account that's
accruing the points, essentially making those "hacked" points' meaning moot
anyway?

------
staunch
I saw this but don't really consider it much of a problem. It's the kind of
thing that you can't _really_ exploit. It'd be obvious if you really tried to
use it for evil and then PG would kill your account.

~~~
kwamenum86
Not necessarily. You could make the CSRF request on, for example, 80 percent
of the views to make it look legit. You could even take a more sophisticated
approach and start by automatically upvoting for 100 percent of logged in
users just to get on the front page and dampening once your story rises in the
rankings.

~~~
staunch
And if any users notice your account and domain are banned. Not saying it
shouldn't be fixed but I doubt you would have much luck exploiting this at any
scale.

------
olalonde
Now that it's out there, I made a self up voting version:
<http://news.ycombinator.com/edit?id=3742902>

~~~
GreekOphion
Let's try not to ruin the Front Page with a bunch of these. I believe one is
enough.

------
rickdale
Is that how this story became number 1 without a pg comment? If this was
serious you would think pg would have commented.

------
goo
I'm fairly certain that unless the referer is the "new" page, it counts
negatively toward the story's promotion.

~~~
MichaelApproved
The #1 post on HN is exploiting this and it's working just fine.

------
RandallBrown
What is the link?

~~~
GreekOphion
If you go to this submission and click it, it up-votes this:
<http://news.ycombinator.com/item?id=3742745>

